[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ROI Was: [pki-tc] Reports for Education SC for Aug 04 PKI TC
June et al. May I comment a bit on the ROI issue? There are three potential sources of ROI 1. Security related cost reductions (less fraud etc.) 2. Administration related cost reductions (eliminating the "userid/password hell") 3. Enabling services that for technical and (sometimes) legal reasons must use PKI To estimate #1 is probably impossible for all but banks as only banks have the volume and the statistics needed to do such calculations. Here I would like to mention that many banks have lately become hesitant regarding the EMV card as they have found out that the most fraud problems are on the Internet and here the EMV card does not work. Well, theoretically it could but nobody seems prepared to pay for the readers and software required. Quite a few banks have therefore implemented server-based payment schemes like 3D Secure that effectively delays the introduction of "true" PKI solutions. This delay may very well turn out to be *indefinite* as the server-schemes have a huge, and so far mostly unexploited potential. Regarding #2, SSO is still not a reality in most large organizations, greatly limiting the value of a PKI. Another problem is that users nowadays need to access the Intranet from different locations and devices, making non-mobile, "fat" solutions like PKI very awkward. Left is in my opinion #3. In this segment we almost exclusively find various public sector related organizations. Many of these exploit the primary feature of PKI, One-to-Many-Authentication (rather than only security which other solutions can offer as well). If you have - Numerous relying parties - A common identity system (like national IDs) then PKI has a lot to offer in terms of ROI (and convenience). Unfortunately the unavailability of mobile, secure, convenient, de-facto standard, and cheap "PKI containers" have forced also quite a few of these customers into the server-schemes offered by SAML et al. These are often also using PKI but in very different form. ==================================================== I think it would be wise to mention somewhere that server-PKI in many cases have replaced client-PKI due to the fact that the web has become the media of choice for service providers. Secure e-mail is not a system for the masses and this is really the true origin of client-side PKI. ==================================================== Client-side PKI will come but the private sector will not care much until it beats passwords from day one. This is probably some 5-10 years away and will be the outcome of a rather brutal (de-facto) standards-battle we see emerging on the horizon. regards Anders Rundgren ----- Original Message ----- From: "June Leung" <June.Leung@FundServ.com> To: <email@example.com> Cc: "Kefeng Chen (E-mail)" <firstname.lastname@example.org> Sent: Tuesday, August 17, 2004 20:53 Subject: [pki-tc] Reports for Education SC for Aug 04 PKI TC In the past couple of months, the Education SC did some research. (see attached) We divided the sites/material into 4 categories. Value/Benefits, ROI, Risk Management and Applicability. We were able to find case studies/examples supporting most of the categories (except ROI). We are ready for the next step and would like to get some feedback from the TC. 1) We are having a difficult time locating ROI, Risk Management info. Do you think it's necessary to have this information handy to assist business people in making decisions on whether their company should consider implementing PKI? 2) If the answer is "Yes", do you know where we can locate this info? We are also thinking of having someone assist us in writing the documentation if we can't locate them. 3) We would like to post our results, and we are thinking that the PKI resource page would be a natural spot. http://www.pkiforum.org/resources.html Do you agree? 4) We also require contractor's assistance to revamp the resource page. Some of the info is not current and links no longer exist. If we hire a contractors, will we be able to share resources with the other SCs? thanks june June Leung Manager, PKI Department FundSERV Inc. 1730 130 King St W Toronto ON M5X 1E5 T. 416.350.2516 F. 416.362.6668 -------------------------------------------------------------------------------- To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/pki-tc/members/leave_workgroup.php.