[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pki-tc] Survey presentation at FPKI TWG by Paul Evans
I have heard several reports that Paul's FPKITWG presentation and Sharon's comments were excellent. A U.S. government PKI expert said "Well done!" So let's give Paul and Sharon a big thank you for doing such a wonderful job (especially Paul for spending many hours putting together his presentation, which included graphs from the survey analysis). Paul has promised to donate a version of his slides to our group so we can use them in briefings. Thanks also to Sharon for taking such good notes. Talk to you Monday, Steve > Sharon Boeyen wrote: > > Here are my notes regarding the presentation that Paul gave at > Wednesday's FPKI TWG. I haven't received feedback from Paul on these > > notes yet, but thought I should send them out now so that people can > review them before our conf call Monday. > > Paul, please feel free to correct anything here or to add more as you > see fit. > > > Paul Evans presented on both the original and follow-up OASIS PKI TC > surveys and the draft action plan at this week's U.S. Federal > > PKI Technical Committee (FPKI) meeting. The audience (somewhere around > 100 I'm guessing) was very interested in the survey findings and > > there was a lot more discussion around that than around the action > plan. Here are some of the specifics: > > Paul included some of the charts from the survey report and folks are > interested in seeing, not only the actual ranking and points for the > > detailed breakdowns (e.g. ranking obstacles, ranking specific costs) > but would also like to see the medians reported). > > There was interest in seeing some level of breakdown of the results by > demographic - at least a separation of the responses from the actual > > user community (those who have actually deployed PKI or tried to > deploy PKI) from vendors. There was also some interest in a > demographic > > breakdown between senior mgt and regular staff responses. > > On the costs of PKI - several people expressed interest in seeing a > correlation of the responses to the ranking of costs (table 4 in the > follow up > > summary with the responses to the outsource versus in source question > (table 6). (Paul it is table 6 that I think had a typo on your charts > - the > > one that didn't add up to 100% and someone caught it). > > In further discussion of costs, ROI was mentioned by some as the real > key to addressing costs. Others, including Michele Rubenstein, > expressed > > the view that someone needs to come up with documentation on the total > cost of ownership for PKI, not just ROI. She mentioned some related > > work that the Directory Forum in the Open Group is pursuing for > directory. > > There was also a discussion on the benefits of PKI. Someone (I don't > know who he was) said that in order to get PKI deployed, and justify > its > > high costs, you typically needed a high assurance application that > required the security level provided by PKI. Only after that was done, > could you > > begin to realize the full benefit of PKI by adding other applications > to use it (e.g. secure email, signing timesheets and other forms etc). > He stated > > that for these other apps, it was hard to justify the cost of a PKI, > although once deployed great benefits are realized with each new app > added to the > > infrastructure. > > One very interesting analogy was made (and not disputed) about the > deployment of PKI being similar to the deployment of email. It took > 10-20 > > years for email to become something that we simply cannot do without. > Until all the parties you wanted to communicate with had email on > their > > desktops one really didn't realize the benefit of email. Only once > critical mass was achieved did its deployment and success explode. > Folks saw > > the deployment of PKI as analogous to that and did not consider it a > serious problem that PKI hasn't yet reached that point. The comment > "email > > took 20 years!! was the final note on that topic. > > I mentioned that I was beginning to review the text comments we > received looking for themes and there was also interest in some follow > on reporting > > of what, if anything interesting, comes out of that activity. > > The only real discussion of the action plan was around testing. The > PKITS and NIST Protection Profiles are familiar to this group and will > address > > interop issued that relate to conformance (as well as a common set of > functions for all clients). However for non-path-validation topics > there was > > some interest in the Open Group taking up a role for other testing. > Note that there were some Open Group folks in the room and it was they > who > > expressed this interest. > > In summary, Paul gave an excellent presentation, it was very well > received and there is interest in seeing the report from the surveys > as well as > > obtaining further breakdown and possibly even more analysis of the > data itself. Paul credited the FPKI TC on their active participation > in the surveys > > and thanked them for this. Well done Paul!! > > Cheers, > Sharon > > Sharon Boeyen > Principal, Advanced Security > Tel: 613 270 3181 > Fax: 613 270 2504 > Entrust > Securing Digital Identities > & Information > http://www.entrust.com
S/MIME Cryptographic Signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]