[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Survey presentation at FPKI TWG by Paul Evans
Here are my notes regarding the presentation that Paul gave at Wednesday's FPKI TWG. I haven't received feedback from Paul on these
notes yet, but thought I should send them out now so that people can review them before our conf call Monday.
Paul, please feel free to correct anything here or to add more as you see fit.
Paul Evans presented on both the original and follow-up OASIS PKI TC surveys and the draft action plan at this week's U.S. Federal
PKI Technical Committee (FPKI) meeting. The audience (somewhere around 100 I'm guessing) was very interested in the survey findings and
there was a lot more discussion around that than around the action plan. Here are some of the specifics:
Paul included some of the charts from the survey report and folks are interested in seeing, not only the actual ranking and points for the
detailed breakdowns (e.g. ranking obstacles, ranking specific costs) but would also like to see the medians reported).
There was interest in seeing some level of breakdown of the results by demographic - at least a separation of the responses from the actual
user community (those who have actually deployed PKI or tried to deploy PKI) from vendors. There was also some interest in a demographic
breakdown between senior mgt and regular staff responses.
On the costs of PKI - several people expressed interest in seeing a correlation of the responses to the ranking of costs (table 4 in the follow up
summary with the responses to the outsource versus in source question (table 6). (Paul it is table 6 that I think had a typo on your charts - the
one that didn't add up to 100% and someone caught it).
In further discussion of costs, ROI was mentioned by some as the real key to addressing costs. Others, including Michele Rubenstein, expressed
the view that someone needs to come up with documentation on the total cost of ownership for PKI, not just ROI. She mentioned some related
work that the Directory Forum in the Open Group is pursuing for directory.
There was also a discussion on the benefits of PKI. Someone (I don't know who he was) said that in order to get PKI deployed, and justify its
high costs, you typically needed a high assurance application that required the security level provided by PKI. Only after that was done, could you
begin to realize the full benefit of PKI by adding other applications to use it (e.g. secure email, signing timesheets and other forms etc). He stated
that for these other apps, it was hard to justify the cost of a PKI, although once deployed great benefits are realized with each new app added to the
infrastructure.
One very interesting analogy was made (and not disputed) about the deployment of PKI being similar to the deployment of email. It took 10-20
years for email to become something that we simply cannot do without. Until all the parties you wanted to communicate with had email on their
desktops one really didn't realize the benefit of email. Only once critical mass was achieved did its deployment and success explode. Folks saw
the deployment of PKI as analogous to that and did not consider it a serious problem that PKI hasn't yet reached that point. The comment "email
took 20 years!! was the final note on that topic.
I mentioned that I was beginning to review the text comments we received looking for themes and there was also interest in some follow on reporting
of what, if anything interesting, comes out of that activity.
The only real discussion of the action plan was around testing. The PKITS and NIST Protection Profiles are familiar to this group and will address
interop issued that relate to conformance (as well as a common set of functions for all clients). However for non-path-validation topics there was
some interest in the Open Group taking up a role for other testing. Note that there were some Open Group folks in the room and it was they who
expressed this interest.
In summary, Paul gave an excellent presentation, it was very well received and there is interest in seeing the report from the surveys as well as
obtaining further breakdown and possibly even more analysis of the data itself. Paul credited the FPKI TC on their active participation in the surveys
and thanked them for this. Well done Paul!!
Cheers,
Sharon
Sharon Boeyen
Principal, Advanced Security
Tel: 613 270 3181
Fax: 613 270 2504
Entrust
Securing Digital Identities
& Information
http://www.entrust.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]