Survey presentation at FPKI TWG by Paul Evans

[Sharon Boeyen <sharon.boeyen@entrust.com>]

Title: Survey presentation at FPKI TWG by Paul Evans

Here are my notes regarding the presentation that Paul gave at Wednesday's FPKI TWG. I haven't received feedback from Paul on these

notes yet, but thought I should send them out now so that people can review them before our conf call Monday.

Paul, please feel free to correct anything here or to add more as you see fit.

 
Paul Evans presented on both the original and follow-up OASIS PKI TC surveys and the draft action plan at this week's U.S. Federal

PKI Technical Committee (FPKI) meeting. The audience (somewhere around 100 I'm guessing) was very interested in the survey findings and

there was a lot more discussion around that than around the action plan. Here are some of the specifics:
 
Paul included some of the charts from the survey report and folks are interested in seeing, not only the actual ranking and points for the

detailed breakdowns (e.g. ranking obstacles, ranking specific costs) but would also like to see the medians reported).

There was interest in seeing some level of breakdown of the results by demographic - at least a separation of the responses from the actual

user community (those who have actually deployed PKI or tried to deploy PKI) from vendors. There was also some interest in a demographic

breakdown between senior mgt and regular staff responses.

On the costs of PKI - several people expressed interest in seeing a correlation of the responses to the ranking of costs (table 4 in the follow up

summary with the responses to the outsource versus in source question (table 6). (Paul it is table 6 that I think had a typo on your charts - the

one that didn't add up to 100% and someone caught it).

In further discussion of costs, ROI was mentioned by some as the real key to addressing costs. Others, including Michele Rubenstein, expressed

the view that someone needs to come up with documentation on the total cost of ownership for PKI, not just ROI. She mentioned some related

work that the Directory Forum in the Open Group is pursuing for directory.

There was also a discussion on the benefits of PKI. Someone (I don't know who he was) said that in order to get PKI deployed, and justify its

high costs, you typically needed a high assurance application that required the security level provided by PKI. Only after that was done, could you

begin to realize the full benefit of PKI by adding other applications to use it (e.g. secure email, signing timesheets and other forms etc). He stated

that for these other apps, it was hard to justify the cost of a PKI, although once deployed great benefits are realized with each new app added to  the

infrastructure.

One very interesting analogy was made (and not disputed) about the deployment of PKI being similar to the deployment of email. It took 10-20

years for email to become something that we simply cannot do without. Until all the parties you wanted to communicate with had email on their

desktops one really didn't realize the benefit of email. Only once critical mass was achieved did its deployment and success explode. Folks saw

the deployment of PKI as analogous to that and did not consider it a serious problem that PKI hasn't yet reached that point. The comment "email

took 20 years!! was the final note on that topic. 

I mentioned that I was beginning to review the text comments we received looking for themes and there was also interest in some follow on reporting

of what, if anything interesting, comes out of that activity.

The only real discussion of the action plan was around testing. The PKITS and NIST Protection Profiles are familiar to this group and will address

interop issued that relate to conformance (as well as a common set of functions for all clients). However for non-path-validation topics there was

some interest in the Open Group taking up a role for other testing. Note that there were some Open Group folks in the room and it was they who

expressed this interest.

In summary, Paul gave an excellent presentation, it was very well received and there is interest in seeing the report from the surveys as well as

obtaining further breakdown and possibly even more analysis of the data itself. Paul credited the FPKI TC on their active participation in the surveys

and thanked them for this. Well done Paul!!

Cheers,
Sharon

Sharon Boeyen
Principal, Advanced Security
Tel: 613 270 3181
Fax: 613 270 2504
Entrust
Securing Digital Identities
& Information
http://www.entrust.com