[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pki-tc] RE: New PKI Resources Page and ROI paper - REVIEW DRAFT
David et al That's a very fair comment. My drafting has been imbued I guess with the higher end type of PKI application that dominates my life. I have doubtless overlooked enterprise type PKIs run of self-signed certificate servers etc. So ... we could re-draft the affected sections with a risk-management type of emphasis, stressing that backend security and controls should be selected commensurate with the threat of attack and counterfeiting for the application at hand. Obviously provisions/cover for liability are also a movable feast depending totally on the application. For enterprise CAs supporting internal email, intranet functions etc. the provisions are probably zero. Cheers, Stephen. Stephen Wilson Lockstep Consulting Pty Ltd ABN 59 593 754 482 11 Minnesota Ave Five Dock NSW 2046 Australia P +61 (0)414 488 851 -------------------- About Lockstep Lockstep was established in early 2004 by noted authentication expert Stephen Wilson, to provide independent advice and analysis on cyber security policy, strategy, risk management, and identity management. Lockstep is also developing unique new smartcard solutions to address privacy and identity theft. Contact swilson@lockstep.com.au. > Hi June, > I finally have some input back from our product management side of the > house. Their basic response is that they would never be able to use > this document with a prospect. It is very much weighted toward managed > services and paints standing up your own CA in a fairly negative light. > > > Some of this is based on issues that the Lower Cost PKI subcommittee > should be addressing, but it perpetuates the concepts that PKI is too > big and too costly to manage. For instance, Section 5 states the > following: > > ---- > Costs associated with the back end Certification Authority operation, > which will always involve significant security, infrastructure, > personnel, facilities and compliance related expenses. On an annualised > basis, provision must be made (or insurance purchased) to cover > potential liability. > ---- > > Some of this is only true if you have a CA signed by a third party root > (such as VeriSign, RSA, or GeoTrust), yet it doesn't differentiate. > > =david > > -----Original Message----- > From: June Leung [mailto:June.Leung@FundServ.com] > Sent: Wednesday, January 19, 2005 1:56 PM > To: PKI TC > Cc: kefengc@geotrust.com > Subject: [pki-tc] RE: New PKI Resources Page and ROI paper - REVIEW > DRAFT > > Hi, > I didn't realize the ROI doc is not attached in the previous email. > june > > June Leung > PKI Department > FundSERV Inc. > 1700 - 130 King Street West > Toronto ON > M5X 1E5 > T. 416.350.2516 > F. 416.362.6668 > > -----Original Message----- > From: June Leung > Sent: Wednesday, January 19, 2005 1:40 PM > To: PKI TC > Cc: kefengc@geotrust.com > Subject: FW: New PKI Resources Page and ROI paper - REVIEW DRAFT > > > Hi, > Please review the two work efforts from the Education Sub-committee and > forward any comments to me by the end of day Jan 24/05. Thanks for your > assistance. June > > June Leung > PKI Department > FundSERV Inc. > 1700 - 130 King Street West > Toronto ON > M5X 1E5 > T. 416.350.2516 > F. 416.362.6668 >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]