OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [pki-tc] RE: New PKI Resources Page and ROI paper - REVIEW DRAFT


David et al

That's a very fair comment.  My drafting has been imbued I guess with the 
higher end type of PKI application that dominates my life.  I have 
doubtless overlooked enterprise type PKIs run of self-signed certificate 
servers etc. 

So ... we could re-draft the affected sections with a risk-management type 
of emphasis, stressing that backend security and controls should be 
selected commensurate with the threat of attack and counterfeiting for the 
application at hand.  Obviously provisions/cover for liability are also a 
movable feast depending totally on the application.  For enterprise CAs 
supporting internal email, intranet functions etc. the provisions are 
probably zero. 

Cheers, 

Stephen.



Stephen Wilson
Lockstep Consulting Pty Ltd
ABN 59 593 754 482

11 Minnesota Ave
Five Dock NSW 2046
Australia

P +61 (0)414 488 851

--------------------

About Lockstep 
Lockstep was established in early 2004 by noted authentication expert 
Stephen Wilson, to provide independent advice and analysis on cyber 
security policy, strategy, risk management, and identity management.  
Lockstep is also developing unique new smartcard solutions to address 
privacy and identity theft. 
Contact swilson@lockstep.com.au. 



> Hi June,
> I finally have some input back from our product management side of the
> house.  Their basic response is that they would never be able to use
> this document with a prospect.  It is very much weighted toward managed
> services and paints standing up your own CA in a fairly negative light.
> 
> 
> Some of this is based on issues that the Lower Cost PKI subcommittee
> should be addressing, but it perpetuates the concepts that PKI is too
> big and too costly to manage.  For instance, Section 5 states the
> following:
> 
> ----
> Costs associated with the back end Certification Authority operation,
> which will always involve significant security, infrastructure,
> personnel, facilities and compliance related expenses. On an annualised
> basis, provision must be made (or insurance purchased) to cover
> potential liability.
> ----
> 
> Some of this is only true if you have a CA signed by a third party root
> (such as VeriSign, RSA, or GeoTrust), yet it doesn't differentiate.
> 
> =david
> 
> -----Original Message-----
> From: June Leung [mailto:June.Leung@FundServ.com] 
> Sent: Wednesday, January 19, 2005 1:56 PM
> To: PKI TC
> Cc: kefengc@geotrust.com
> Subject: [pki-tc] RE: New PKI Resources Page and ROI paper - REVIEW
> DRAFT
> 
> Hi, 
> I didn't realize the ROI doc is not attached in the previous email.
> june
> 
> June Leung
> PKI Department
> FundSERV Inc.
> 1700 - 130 King Street West
> Toronto ON 
> M5X 1E5
> T. 416.350.2516
> F. 416.362.6668 
> 
> -----Original Message-----
> From: June Leung 
> Sent: Wednesday, January 19, 2005 1:40 PM
> To: PKI TC
> Cc: kefengc@geotrust.com
> Subject: FW: New PKI Resources Page and ROI paper - REVIEW DRAFT
> 
> 
> Hi,
> Please review the two work efforts from the Education Sub-committee and
> forward any comments to me by the end of day Jan 24/05. Thanks for your
> assistance. June
> 
> June Leung
> PKI Department
> FundSERV Inc.
> 1700 - 130 King Street West
> Toronto ON 
> M5X 1E5
> T. 416.350.2516
> F. 416.362.6668 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]