Re: [pki-tc] Gearing up for PKI Survey Promotion

[Arshad Noor <arshad.noor@strongauth.com>]

Stephen/Ann,

Some feedback on the survey I received and tried to fill out today:

1) I am not a Microsoft Office user, so the fact that the
    survey is distributed in Excel format is a problem for me,
    as OpenOffice 2.0 does not faithfully reproduce the format
    you carefully created.  Additionally, while OpenOffice will
    save the document in Excel format, I'm not sure how it will
    look when you open it up in Excel again.  And no, unfortunately,
    I don't have a copy of Excel even in my lab Windows machines.

    While I understand that most of the world uses MS-Office,
    OASIS has gotten behind the OpenDocument standard, and as
    a subcommitee, I think we should support it by providing the
    survey in an OpenDocument format document too.  I would
    encourage you to download OpenOffice 2.0 and add the
    OpenDocument version too.

2) Steve Hanna's e-mail address has changed, as you might
    know; might be better to get OASIS to give him a generic
    chair-pkitc@oasis-open.org e-mail address.

3) The survey should recognize that consulting companies (like
    StrongAuth) build many PKIs, and even though they may be small
    (5 people in our case), they may have built PKIs for companies
    of much larger size (120,000 employees in the case of one of
    our customers).  Currently, the survey does not explain how one
    should address this.

4) In the question "Obstacles to PKI" it is not clear whether
    I should allot 10 points per question, or across all the 16
    questions.  Is this meant to be a scale of 1 to 10, with 10
    being "most important" or "least important" to me?  Its not
    clear how I should be responding.

5) Same observation as (4) for questions on "Potential Improvements
    to Software", "Problematic Costs", "Understanding" and
    "Interoperability".

6) I'm not sure how valid my opinions would be on the "Quantitative
    and "Qualitative" questions.  I am a supplier of PKI services, thus
    making me biased towards the technology, and I'm an active OASIS
    member, so I may be too close to the problem.

    I've left them blank for the time being; let me know how you'd
    like me to respond to these sections.

7) To make things worse, after spending 45 minutes on the survey,
    the application locked up as I got to the section on the projects.
    Not sure if it had to do with the Excel spreadsheet in OpenOffice
    or not, but I had to kill it and lost all the work I'd done so far.
    (I'll wait for your responses before trying again).

8) It might be useful to break down the question on "Costs too high"
    into Capital, Implementation and Operational costs and determine
    which costs people are worried about.

9) WRT "Enrollment too complicated", it might be useful to break
    this question into the Technical process and the Business process
    and determine which part do respondents believe is too complex.

10) WRT "Too much legal work required", it might be helpful to ask
     the question why respondents think there should be legalities
     involved with a PKI when there aren't any with User ID/Passwords;
     and US Federal law allows for people to assent to contracts with
     an "X" in a checkbox on electronic forms.  My point is, shouldn't
     IT organizations be more worried about data-integrity and security
     rather than legal-enforcement of the digital signature?  Is this
     one of the reasons PKI is too complex?

11) The "Implementation" and "Cost Detail" sheets are over-whelming,
     Stephen.  I doubt that any IT organization has that level of
     detail - or would be willing to part with that much information
     even if they did.

     This may be the biggest barrier to getting quality responses to
     the survey.  While I don't deny the usefulness of such information
     for an analysis, I doubt we'll get that level of clarity in the
     responses.  Even though StrongAuth has implemented 4 PKI's in the
     last 4-5 years, even I don't have privy to all the information in
     that survey; and I can guarantee that the people I know in those
     companies will not have all the answers either.

I hate to be doing this at the stage where you're getting ready to
announce and release the survey, but is there any way you can cut
this back to half its size?

This survey will definitely take more than an hour to fill.  Just
collecting the information could take days, and then it might take a
couple of hours at least to get all that information filled out.  For
most US-based ITSec folks, this will just sit on this list of "to-do"
things and will likely not get done.  Motivated people (as on the TC)
will help to get this moving forward, but most other people are
probably swamped with day-to-day things to provide this much
information.

I apologize for not having been involved earlier and this late feedback,
but I think its more important to be honest with you and do the right
thing than to "just try to do the survey" and ignore the fact that this
survey will be daunting to most respondents.

Arshad Noor
StrongAuth, Inc.