1 / 22

Agenda

Obstacles to PKI Deployment and Usage - Survey Results and Draft Action Plan Steve Hanna, Co-chair, OASIS PKI TC. Agenda. OASIS PKI Technical Committee Survey Results on Obstacles to PKI Deployment and Usage PKI Action Plan Invitation. OASIS PKI Technical Committee. Vital Statistics

nyla
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Obstacles to PKI Deployment and Usage - Survey Results and Draft Action PlanSteve Hanna, Co-chair, OASIS PKI TC

  2. Agenda • OASIS PKI Technical Committee • Survey Results on Obstacles to PKI Deployment and Usage • PKI Action Plan • Invitation

  3. OASIS PKI Technical Committee • Vital Statistics • Formed January 2003, successor to PKI Forum • 15 Voting Members: PKI customers, vendors, and experts • Open to any OASIS member • Objective • Address issues related to successful deployment of digital certificates • Plan • Identify primary obstacles to PKI deployment and usage • Develop PKI Action Plan to address these obstacles • Improve and build support for PKI Action Plan • Coordinate implementation of PKI Action Plan • OASIS PKI TC Role • Catalyst and coordinator for addressing PKI obstacles • Not a standards group or trade group

  4. June 2003 Survey on PKI Obstacles • Goal • Identify primary obstacles to PKI Deployment and Usage • How • Web-based survey deployed June 9 to 22, 2003 • Invitation distributed through PKI standards bodies, trade groups, user associations, etc. • Respondents • 216 valid responses, many with careful text comments • 44% IT management and staff, remainder developers, consultants, etc. • Primary Work Location: 61% North America, 24% Europe, 6% Asia • Over 75% with 5 or more years experience in InfoSec/Privacy • 90% either helped deploy PKI or developed PKI-related software

  5. Applications • Participants asked to rate various PKI supported applications as: • Most Important • Important • Not Important • Weight • 2 points for Most Important, 1 point for Important • Weight is average for all responses • Respondents allowed to enter and rank “Other” applications • All applications except Secure RPC considered at least “Important” by over 50% • No application considered “Most Important” by a majority • PKI is truly a horizontal, enabling technology with many applications

  6. PKI Application Weights

  7. Obstacles • Participants given a list of obstacles and asked to rank each as: • Major Obstacle • Minor Obstacle • Not an Obstacle • Weight • Similar to Application Weight (2 points for Major Obstacle, 1 for Minor) • Write-in area for “Other” obstacles • No obstacle was ranked “Not an Obstacle” by the majority, indicating all were relevant • Top two obstacles rated as “Major” by at least 50%, top six rated “Major” by at least 40% • 92% indicated they would use PKI more if obstacles were removed. • Responses consistent across demographics

  8. PKI Obstacle Weights

  9. Additional PKI Obstacles

  10. August 2003 Follow-up Survey • Goal • Obtain detailed information needed to create Action Plan • How • Web-based survey deployed during August 2003 • Invitation distributed to June 2003 respondents • Respondents • 74 valid responses • Demographics and opinions similar to previous survey • Improved Ranking System • Respondent given “budget” of 10 points, asked to allocate them among choices • Added • Clarifying questions on obstacles • Six “other” obstacles identified by respondents to June 2003 survey • Request for suggestions on how to address top obstacles

  11. Obstacles Ranked by Importance

  12. Which Applications Most Critically Need Improvements in PKI Support?

  13. More on Application Support for PKI • Application support is inconsistent • Many applications have no PKI support • When present, PKI support varies widely • Interoperation is nearly impossible • Common comments on how to address this problem • Create guidelines for each type of application on how PKI support should be implemented (like draft-ietf-ipsec-pki-profile-03.txt) • Encourage OS vendors to include PKI features (e.g. smart card support)

  14. Which Costs are Most Problematic?

  15. More on Costs • Many Kinds of Costs • Common comments on how to address this problem • Promote specific standards that avoid the need for customization • Outsource • Encourage free PKI software and free CAs for low-assurance applications

  16. Which parties most need greater PKI understanding?

  17. More on PKI Understanding • Common comments on how to address this problem • Explain in non-technical terms the benefits, value, and ROI of PKI • Explain when PKI is appropriate (or not) • Provide a cookbook on deploying PKI • All educational materials should be unbiased and freely available

  18. Where do the Most Serious Interoperability Problems Arise?

  19. More on Interoperability Problems • Standards are inadequate • In some cases (e.g. certificate management) there are too many standards • In others (as with smart cards) there are too few • When present, standards are often too flexible and too complex • Overly flexible and complex standards create an environment where implementations from different vendors rarely interoperate • Common comments on how to address this problem • Create specific profiles of PKI standards, including application guidelines • Provide interoperability testing, test suites, and certification

  20. PKI Action Plan • Status • Draft in Public Review • Asking all stakeholders (users, vendors, standards groups, and experts) to review, comment on, and support the plan • Plan to announce Action Plan formally in February 2004 • Features • Develop specific application guidelines on PKI standards use • Increase interoperability testing, possibly with branding and certification • Ask application vendors what they need to provide PKI support • Gather and/or enhance educational materials

  21. A Call to Action • Obstacles to PKI deployment and usage are an industry-wide problem • The obstacles are widely agreed upon • They hurt all of us (increasing costs, slowing down innovation, reducing sales, reducing security) • The PKI Action Plan is a Call to Action for the industry • The PKI TC is passing on requests from hundreds of customers • Implementing the PKI Action Plan will require cooperation from all of us • The PKI TC plans to act as a catalyst and coordinator • Helping the industry agree on problems and solutions • Supporting and publicizing efforts already under way • Encouraging new efforts

  22. An Invitation • PKI Stakeholders (users, vendors, etc.) are invited to: • Review and comment on the draft PKI Action Plan • Sign on to support the PKI Action Plan • Join the OASIS PKI TC • http://www.oasis-open.org/committees/pki • pki-tc-chair@lists.oasis-open.org

More Related