RE: PKI Action Plan 0.2

["Sabo, John T" <John.T.Sabo@ca.com>]

Steve,

A few comments:  

1. In the introduction, para 2: "But high costs and interoperability
problems have limited the use of PKI."

I'd suggest saying "But a number of barriers, including lack of
applications, high costs, poor understanding of its benefits, and
interoperability problems have contributed to the limited use of PKI."

2. The comment, "Within two years, PKI deployment should be
substantially easier." may be too optimistic given harsh reality.  How
about " The PKI TC believes that a serious effort by industry
practitioners to execute the action plan will contribute to increased
usage."  --or soimething along those lines.

3. Last Paragraph, Section 2.0: I would suggest deleting the sentence,
"Membership fees are quite low, especially for individuals and
non-profit organizations."  This seems to make it more like a commercial
than an invitation.

4. In seeking comments on the action plan, I suggest abit more
specfificity  in what we are asking for with respect to comments, and
perhaps a more direct request for help in developing a  multi-facted
plan, with the TC working with other bodies, vendors, users, etc. to
achieve our goals of accelerated use of PKI. 

I suggest that we more directly seek input from a variety of
stakeholders as to the viability of the plan, the relative importance of
action steps, the resources and level of effort necessary to achieve
specific deliverables, work already underway or planned which will
address these issues, the appropriate bodies internationally that may be
best positioned to deal with specific actions, and whether (and how)
such a plan should be coordinated among stakeholders.  

I am suggesting this in part because major efforts have been undertaken
(e.g., EEMA PKI Challenge)with huge resource investments, and they have
come up with some progress, but no ultimate solution on very specific
issues.  I just think the plan suggests that the task is easily
achieved...may be read by some experienced people that we are perhaps a
bit naive regarding the complexity of the issues etc.  My suggestion
then would be to directly acknowledge the challenge and yet offer the
action plan as an effort to establish a multi-faceted and coordinated
effort.

At the ISSE2003 conference there has been lots of talk about PKI, and
how it never achieved its promise, how most of the issues aren';t
technical, etc etc...a very big context and lots of activities have been
undertaken,and yet there are large deployments coming about (e.g.,
Spanish e-Identity card)despite the obstacles --  hence my suggestions
about acknowledging such efforts, and seeking assistance in building a
industry-wide plan.

Hope these comments are useful.

Thanks,

John

Let me know if you think

------------------------------------------------------------------
John T. Sabo, CISSP
Manager, Security Privacy and Trust Initiatives
Computer Associates International
2291 Wood Oak Drive
Herndon, Virginia, 20171
USA
Phone: +1 703-708-3037
Mobile: +1 443-629-6198


-----Original Message-----
From: Steve Hanna [mailto:steve.hanna@sun.com]
Sent: Monday, October 06, 2003 1:30 PM
To: PKI TC
Subject: [pki-tc] PKI Action Plan 0.2


Here (attached to this email) is a slightly revised
version of our PKI Action Plan. I changed the wording
in one item (the "Develop Application Guidelines for
PKI Use" item) in response to comments received from a
PKI TC member.

Since we agreed to have a review period until last
Friday for review within the TC and I have made all
the changes requested during that period (only one),
I think we can move on to discussing this plan on a
confidential basis with a small number of key stakeholders.
As agreed at the F2F, we'll feed back comments from these
stakeholders to the PKI TC email list and aim to
release a draft for public review at the end of October.

BTW, if you have not reviewed this plan, please do
so now.

Thanks,

Steve