[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] RE: PKI Action Plan 0.2
Steve, Thanks...you've captured my points perfectly. And I agree with "ambitious optimist" comment as well. We don't have control over people's reactions to our words, and so I wanted the right tone and inference to come through. John ------------------------------------------------------------------ John T. Sabo, CISSP Manager, Security Privacy and Trust Initiatives Computer Associates International 2291 Wood Oak Drive Herndon, Virginia, 20171 USA Phone: +1 703-708-3037 Mobile: +1 443-629-6198 -----Original Message----- From: Steve Hanna [mailto:steve.hanna@sun.com] Sent: Tuesday, October 07, 2003 5:44 PM To: Sabo, John T Cc: PKI TC (E-mail) Subject: Re: [pki-tc] RE: PKI Action Plan 0.2 John, These are very good comments. You make a good point that it's important for us to not to downplay the difficulty of the problems facing PKI. They may be surmountable with a concerted effort by the industry. But they are difficult and real. The current version of the Action Plan fails to adequately acknowledge this. We should revise the text to fix this. > I suggest that we more directly seek input from a variety of > stakeholders as to the viability of the plan, the relative > importance of action steps, the resources and level of effort > necessary to achieve specific deliverables, work already underway > or planned which will address these issues, the appropriate bodies > internationally that may be best positioned to deal with specific > actions, and whether (and how) such a plan should be coordinated > among stakeholders. Yes, this makes sense. We should agree on a set of questions that we want to ask people as we brief them on the PKI Action Plan. That will make it easier to do some of this by email. If you don't mind, I'll rephrase your list of topics as questions and add a few comments and questions of my own (in square braces). * Is this plan viable? [I might say feasible instead] * What is the relative importance of the action steps we have proposed? * What resources will be required to achieve the specific deliverables identified in the plan? * Is there work already underway or planned that will address these issues? * Who are the most appropriate bodies internationally that may be best positioned to deal with the specific actions in the plan? * Whether and how should this plan be coordinated among all the relevant stakeholders? Here are a few more questions I'd like to ask: * Is this plan ambitious enough? * Does it properly identify the most critical problems? * Does it propose practical, but effective solutions? * How could the plan be improved? * Who should be involved in executing the plan? * How can we contact, motivate, and involve them? I invite comments on and additions to these questions. John, if I'm missing your point, please let me know. Thanks, Steve P.S. I think there's a fine line between naivete and optimism, between an ambitious undertaking and a pipe dream. Of course, we want to be ambitious optimists and not naive dreamers. We must make sure that our PKI Action Plan is practical and well informed by experience and reality. But if we scope our work too narrowly we will also be doomed to failure. Nobody wants to spend lots of time and money only to make a small difference. Forgive me for that moment of "deep thought". ;-) "Sabo, John T" wrote: > > Steve, > > A few comments: > > 1. In the introduction, para 2: "But high costs and interoperability > problems have limited the use of PKI." > > I'd suggest saying "But a number of barriers, including lack of > applications, high costs, poor understanding of its benefits, and > interoperability problems have contributed to the limited use of PKI." > > 2. The comment, "Within two years, PKI deployment should be > substantially easier." may be too optimistic given harsh reality. How > about " The PKI TC believes that a serious effort by industry > practitioners to execute the action plan will contribute to increased > usage." --or soimething along those lines. > > 3. Last Paragraph, Section 2.0: I would suggest deleting the sentence, > "Membership fees are quite low, especially for individuals and > non-profit organizations." This seems to make it more like a commercial > than an invitation. > > 4. In seeking comments on the action plan, I suggest abit more > specfificity in what we are asking for with respect to comments, and > perhaps a more direct request for help in developing a multi-facted > plan, with the TC working with other bodies, vendors, users, etc. to > achieve our goals of accelerated use of PKI. > > I suggest that we more directly seek input from a variety of > stakeholders as to the viability of the plan, the relative importance of > action steps, the resources and level of effort necessary to achieve > specific deliverables, work already underway or planned which will > address these issues, the appropriate bodies internationally that may be > best positioned to deal with specific actions, and whether (and how) > such a plan should be coordinated among stakeholders. > > I am suggesting this in part because major efforts have been undertaken > (e.g., EEMA PKI Challenge)with huge resource investments, and they have > come up with some progress, but no ultimate solution on very specific > issues. I just think the plan suggests that the task is easily > achieved...may be read by some experienced people that we are perhaps a > bit naive regarding the complexity of the issues etc. My suggestion > then would be to directly acknowledge the challenge and yet offer the > action plan as an effort to establish a multi-faceted and coordinated > effort. > > At the ISSE2003 conference there has been lots of talk about PKI, and > how it never achieved its promise, how most of the issues aren';t > technical, etc etc...a very big context and lots of activities have been > undertaken,and yet there are large deployments coming about (e.g., > Spanish e-Identity card)despite the obstacles -- hence my suggestions > about acknowledging such efforts, and seeking assistance in building a > industry-wide plan. > > Hope these comments are useful. > > Thanks, > > John > > Let me know if you think > > ------------------------------------------------------------------ > John T. Sabo, CISSP > Manager, Security Privacy and Trust Initiatives > Computer Associates International > 2291 Wood Oak Drive > Herndon, Virginia, 20171 > USA > Phone: +1 703-708-3037 > Mobile: +1 443-629-6198 > > -----Original Message----- > From: Steve Hanna [mailto:steve.hanna@sun.com] > Sent: Monday, October 06, 2003 1:30 PM > To: PKI TC > Subject: [pki-tc] PKI Action Plan 0.2 > > Here (attached to this email) is a slightly revised > version of our PKI Action Plan. I changed the wording > in one item (the "Develop Application Guidelines for > PKI Use" item) in response to comments received from a > PKI TC member. > > Since we agreed to have a review period until last > Friday for review within the TC and I have made all > the changes requested during that period (only one), > I think we can move on to discussing this plan on a > confidential basis with a small number of key stakeholders. > As agreed at the F2F, we'll feed back comments from these > stakeholders to the PKI TC email list and aim to > release a draft for public review at the end of October. > > BTW, if you have not reviewed this plan, please do > so now. > > Thanks, > > Steve > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgr oup.php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]