OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: ROI Was: [pki-tc] Reports for Education SC for Aug 04 PKI TC

June et al.
May I comment a bit on the ROI issue?

There are three potential sources of ROI
1. Security related cost reductions (less fraud etc.)
2. Administration related cost reductions (eliminating the "userid/password hell")
3. Enabling services that for technical and (sometimes) legal reasons must use PKI

To estimate #1 is probably impossible for all but banks as only banks have
the volume and the statistics needed to do such calculations.   Here I would
like to mention that many banks have lately become hesitant regarding the
EMV card as they have found out that the most fraud problems are on the
Internet and here the EMV card does not work.  Well, theoretically it could
but nobody seems prepared to pay for the readers and software required.
Quite a few banks have therefore implemented server-based payment
schemes like 3D Secure that effectively delays the introduction of "true"
PKI solutions.   This delay may very well turn out to be *indefinite* as
the server-schemes have a huge, and so far mostly unexploited potential.

Regarding #2, SSO is still not a reality in most large organizations, greatly
limiting the value of a PKI.  Another problem is that users nowadays
need to access the Intranet from different locations and devices, making
non-mobile, "fat" solutions like PKI very awkward.

Left is in my opinion #3.  In this segment we almost exclusively find
various public sector related organizations.  Many of these exploit the
primary feature of PKI, One-to-Many-Authentication (rather than only
security which other solutions can offer as well).  If you have

   - Numerous relying parties
  - A common identity system (like national IDs)

then PKI has a lot to offer in terms of ROI (and convenience).

Unfortunately the unavailability of mobile, secure, convenient, de-facto
standard, and cheap "PKI containers" have forced also quite a few of these
customers into the server-schemes offered by SAML et al.  These are often
also using PKI but in very different form.

I think it would be wise to mention somewhere that server-PKI in many
cases have replaced client-PKI due to the fact that the web has become
the media of choice for service providers.   Secure e-mail is not a system
for the masses and this is really the true origin of client-side PKI.

Client-side PKI will come but the private sector will not care much until
it beats passwords from day one.  This is probably some 5-10 years
away and will be the outcome of a rather brutal (de-facto) standards-battle
we see emerging on the horizon.

Anders Rundgren

----- Original Message -----
From: "June Leung" <June.Leung@FundServ.com>
To: <pki-tc@lists.oasis-open.org>
Cc: "Kefeng Chen (E-mail)" <kefengc@geotrust.com>
Sent: Tuesday, August 17, 2004 20:53
Subject: [pki-tc] Reports for Education SC for Aug 04 PKI TC

In the past couple of months, the Education SC did some research. (see attached)  We divided the sites/material into 4 categories.
Value/Benefits, ROI, Risk Management and Applicability.  We were able to find case studies/examples supporting most of the
categories (except ROI).

We are ready for the next step and would like to get some feedback from the TC.

1) We are having a difficult time locating ROI, Risk Management info.  Do you think it's necessary to have this information handy to
assist business people in making decisions on whether their company should consider implementing PKI?

2) If the answer is "Yes", do you know where we can locate this info?  We are also thinking of having someone assist us in writing
the documentation if we can't locate them.

3) We would like to post our results, and we are thinking that the PKI resource page would be a natural spot.
http://www.pkiforum.org/resources.html  Do you agree?

4) We also require contractor's assistance to revamp the resource page.  Some of the info is not current and links no longer exist.
If we hire a contractors, will we be able to share resources with the other SCs?


June Leung
Manager, PKI Department
FundSERV Inc.
1730 130 King St W
Toronto ON M5X 1E5
T. 416.350.2516
F. 416.362.6668


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]