Re: [pki-survey] Final draft follow-up survey

[Steve Hanna <steve.hanna@sun.com>]

Paul,

I'm sorry to hear about your illness. But I'm glad
to hear you have recovered now.

I would be glad to ask a question about exactly
what dollar costs are acceptable. That would help us
understand what level of cost reductions are needed.

But it seems to me that the acceptable cost (per
certificate per year) depends on the application
and on the customer. Some applications (like SSL
for web-based merchants) provide a high return for
each certificate. Others (like authenticating
employees for HR applications) do not. I'm not
sure how we could phrase this question so that
we wouldn't be comparing apples to oranges.

If you have specific ideas, please let me know.

Thanks,

Steve

Evans Paul wrote:
> 
> Steve,
> 
> This is excellent!  My only thoughts involve the cost issue, but I'm not
> sure I can do any better than what you've done thus far.
> 
> The resistance to cost I've encountered boil down to the cost of
> ownership on a per-person basis.  It the old R.O.I. formula.  I
> understand that we shouldn't be doing market research on behalf of the
> vendors, but learning what is an acceptable cost per person might be
> highly useful. It would also give us some insight into the perceived
> value of PKI.
> 
> I'm not strongly tied to including this, though.  It always part of the
> tension of creating a survey that's not too long or detailed but
> contains enough detail to be meaningful and useful.
> 
> My apologies for not responding earlier - I contracted a case of
> salmonella poisoning two weeks ago that took a week to shake and put me
> way behind in my work.
> 
> Paul
> 
> Steve Hanna wrote:
> 
> >It's important for respondents to quickly understand
> >what each item means. I guess it might help to add
> >a few example protocols. How about "(such as S/MIME
> >or SSL)", since those are probably the two most
> >commonly used protocols that use PKI?
> >
> >This doesn't seem too leading to me. I don't think
> >the respondent will be more or less likely to choose
> >that item if we include this explanation.
> >
> >Thanks,
> >
> >Steve
> >
> >Sharon Boeyen wrote:
> >
> >
> >>Steve, I agree with all of your suggestions. On the "protocols that
> >>use PKI" would it be a good idea to add an "e.g. S/MIME" or do you
> >>think that would be too leading?
> >>
> >>-----Original Message-----
> >>From: Steve Hanna [mailto:steve.hanna@sun.com]
> >>Sent: Tuesday, August 05, 2003 5:05 PM
> >>To: Sharon Boeyen
> >>Cc: PKI TC Survey SC
> >>Subject: Re: [pki-survey] Final draft follow-up survey
> >>
> >>Thanks for the review, Sharon. My comments are below.
> >>
> >>Sharon Boeyen wrote:
> >>
> >>
> >>>I have no comments on the email text - I think it's perfect.
> >>>
> >>>
> >>Good!
> >>
> >>
> >>
> >>>Just a couple of minor comments on the survey itself:
> >>>
> >>>1 - In the privacy statement it says "If you choose to
> >>>provide your email address..." but they really don't have
> >>>a choice do they? Question 1 requires that they supply it.
> >>>Suggest rewording the privacy statement to say "If you choose
> >>>to complete this survey (note that this requires supplying
> >>>your email address)...
> >>>
> >>>
> >>Good point. I'll make this change.
> >>
> >>
> >>
> >>>2 - In question 2 I'm wondering if the "(generally not
> >>>legally binding)" could be changed to something like "(generally
> >>>no specific legal significance)". I'm thinking of things like
> >>>expense claims for business travel or other forms signed within
> >>>your own company for example. Your employment contract may make
> >>>these legally binding but they are different than signing contracts
> >>>for example. I like the "legally binding" for that category but
> >>>think the "not" may be a bit misleading in the signing electronic
> >>>forms case.
> >>>
> >>>
> >>I see what you mean. The phrase "generally no specific legal
> >>significance" is long and a bit lawyerly, though. How about
> >>moving Signing Contracts to the front (since that's short
> >>and clear) and changing the parenthetical comment for Signing
> >>Electronic Forms to "(not legal agreements)" or "(not contracts)"?
> >>
> >>
> >>
> >>>3 - In the text just before question 3, where you describe the
> >>>points system it might be helpful to add another sentence at the
> >>>end of the first paragraph to make sure people understand that
> >>>they don't need to distribute the points among all items, only to
> >>>those of importance to them. Something along these lines "Note that you are
> >>>free to allocate the points as you see fit and there is no need
> >>>to allocate points to each item, only to those you feel are
> >>>important. For example all 10 points could be allocated to a single item
> >>>if you feel that reflects the relative importance." might work, but
> >>>I'm flexible on the text itself. Just want to make sure they understand
> >>>the flexibility.
> >>>
> >>>
> >>OK. I'll make a change for this.
> >>
> >>
> >>
> >>>4 - In 7a, I suggest adding another item to the list (probably fits
> >>>in between certificate revocation and smart card). The item is
> >>>path validation.
> >>>
> >>>
> >>That's a good one. It's pretty specific.
> >>
> >>I think the three items that start with Application are
> >>too vague. Respondents will have trouble knowing what they
> >>mean and we'll have trouble knowing what to do if they
> >>are ranked high. Maybe we should change them to:
> >>
> >>Protocols that use PKI
> >>   [formerly Application-Server and Application-Application]
> >>
> >>Unusual Certificate Contents
> >>   [formerly Application-Certificate]
> >>
> >>
> >>
> >>>5 - In question 8, first paragraph. It might be good to add a sentence
> >>>to the end of this paragraph indicating that we still have the comments
> >>>they provided in the first survey so they need not repeat those, but any
> >>>additional thoughts would be welcome here.
> >>>
> >>>
> >>There is a note about that later in question 8.
> >>I'll move it to the end of the first paragraph.
> >>
> >>
> >>
> >>>Sorry I've taken so long to respond - just been swamped :-)
> >>>
> >>>
> >>That's OK. I was worried we would miss our August 11
> >>startup date. But the OASIS staff is moving quickly.
> >>I should have a prototype survey for you to try by
> >>Thursday at the latest.
> >>
> >>Thanks,
> >>
> >>Steve
> >>
> 
> You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/pki-survey/members/leave_workgroup.php

S/MIME Cryptographic Signature