Re: [pki-tc] Survey presentation at FPKI TWG by Paul Evans

[Steve Hanna <steve.hanna@sun.com>]

I have heard several reports that Paul's FPKITWG
presentation and Sharon's comments were excellent.
A U.S. government PKI expert said "Well done!"

So let's give Paul and Sharon a big thank you for
doing such a wonderful job (especially Paul for
spending many hours putting together his presentation,
which included graphs from the survey analysis).
Paul has promised to donate a version of his slides
to our group so we can use them in briefings.

Thanks also to Sharon for taking such good notes.

Talk to you Monday,

Steve

> Sharon Boeyen wrote:
> 
> Here are my notes regarding the presentation that Paul gave at
> Wednesday's FPKI TWG. I haven't received feedback from Paul on these
> 
> notes yet, but thought I should send them out now so that people can
> review them before our conf call Monday.
> 
> Paul, please feel free to correct anything here or to add more as you
> see fit.
> 
> 
> Paul Evans presented on both the original and follow-up OASIS PKI TC
> surveys and the draft action plan at this week's U.S. Federal
> 
> PKI Technical Committee (FPKI) meeting. The audience (somewhere around
> 100 I'm guessing) was very interested in the survey findings and
> 
> there was a lot more discussion around that than around the action
> plan. Here are some of the specifics:
> 
> Paul included some of the charts from the survey report and folks are
> interested in seeing, not only the actual ranking and points for the
> 
> detailed breakdowns (e.g. ranking obstacles, ranking specific costs)
> but would also like to see the medians reported).
> 
> There was interest in seeing some level of breakdown of the results by
> demographic - at least a separation of the responses from the actual
> 
> user community (those who have actually deployed PKI or tried to
> deploy PKI) from vendors. There was also some interest in a
> demographic
> 
> breakdown between senior mgt and regular staff responses.
> 
> On the costs of PKI - several people expressed interest in seeing a
> correlation of the responses to the ranking of costs (table 4 in the
> follow up
> 
> summary with the responses to the outsource versus in source question
> (table 6). (Paul it is table 6 that I think had a typo on your charts
> - the
> 
> one that didn't add up to 100% and someone caught it).
> 
> In further discussion of costs, ROI was mentioned by some as the real
> key to addressing costs. Others, including Michele Rubenstein,
> expressed
> 
> the view that someone needs to come up with documentation on the total
> cost of ownership for PKI, not just ROI. She mentioned some related
> 
> work that the Directory Forum in the Open Group is pursuing for
> directory.
> 
> There was also a discussion on the benefits of PKI. Someone (I don't
> know who he was) said that in order to get PKI deployed, and justify
> its
> 
> high costs, you typically needed a high assurance application that
> required the security level provided by PKI. Only after that was done,
> could you
> 
> begin to realize the full benefit of PKI by adding other applications
> to use it (e.g. secure email, signing timesheets and other forms etc).
> He stated
> 
> that for these other apps, it was hard to justify the cost of a PKI,
> although once deployed great benefits are realized with each new app
> added to  the
> 
> infrastructure.
> 
> One very interesting analogy was made (and not disputed) about the
> deployment of PKI being similar to the deployment of email. It took
> 10-20
> 
> years for email to become something that we simply cannot do without.
> Until all the parties you wanted to communicate with had email on
> their
> 
> desktops one really didn't realize the benefit of email. Only once
> critical mass was achieved did its deployment and success explode.
> Folks saw
> 
> the deployment of PKI as analogous to that and did not consider it a
> serious problem that PKI hasn't yet reached that point. The comment
> "email
> 
> took 20 years!! was the final note on that topic.
> 
> I mentioned that I was beginning to review the text comments we
> received looking for themes and there was also interest in some follow
> on reporting
> 
> of what, if anything interesting, comes out of that activity.
> 
> The only real discussion of the action plan was around testing. The
> PKITS and NIST Protection Profiles are familiar to this group and will
> address
> 
> interop issued that relate to conformance (as well as a common set of
> functions for all clients). However for non-path-validation topics
> there was
> 
> some interest in the Open Group taking up a role for other testing.
> Note that there were some Open Group folks in the room and it was they
> who
> 
> expressed this interest.
> 
> In summary, Paul gave an excellent presentation, it was very well
> received and there is interest in seeing the report from the surveys
> as well as
> 
> obtaining further breakdown and possibly even more analysis of the
> data itself. Paul credited the FPKI TC on their active participation
> in the surveys
> 
> and thanked them for this. Well done Paul!!
> 
> Cheers,
> Sharon
> 
> Sharon Boeyen
> Principal, Advanced Security
> Tel: 613 270 3181
> Fax: 613 270 2504
> Entrust
> Securing Digital Identities
> & Information
> http://www.entrust.com

S/MIME Cryptographic Signature