Transcript Obstacles to PKI Deployment and Usage -

Obstacles to PKI Deployment and Usage Survey Results and Draft Action Plan
Steve Hanna, Co-chair, OASIS PKI TC
Agenda
 OASIS PKI Technical Committee
 Survey Results on Obstacles to PKI Deployment and Usage
 PKI Action Plan
 Invitation
OASIS PKI Technical Committee
 Vital Statistics
– Formed January 2003, successor to PKI Forum
– 15 Voting Members: PKI customers, vendors, and experts
– Open to any OASIS member
 Objective
– Address issues related to successful deployment of digital certificates
 Plan
– Identify primary obstacles to PKI deployment and usage
– Develop PKI Action Plan to address these obstacles
– Improve and build support for PKI Action Plan
– Coordinate implementation of PKI Action Plan
 OASIS PKI TC Role
– Catalyst and coordinator for addressing PKI obstacles
– Not a standards group or trade group
June 2003 Survey on PKI Obstacles
 Goal
– Identify primary obstacles to PKI Deployment and Usage
 How
– Web-based survey deployed June 9 to 22, 2003
– Invitation distributed through PKI standards bodies, trade groups, user
associations, etc.
 Respondents
– 216 valid responses, many with careful text comments
– 44% IT management and staff, remainder developers, consultants, etc.
– Primary Work Location: 61% North America, 24% Europe, 6% Asia
– Over 75% with 5 or more years experience in InfoSec/Privacy
– 90% either helped deploy PKI or developed PKI-related software
Applications
 Participants asked to rate various PKI supported applications as:
– Most Important
– Important
– Not Important
 Weight
– 2 points for Most Important, 1 point for Important
– Weight is average for all responses
– Respondents allowed to enter and rank “Other” applications
 All applications except Secure RPC considered at least “Important” by
over 50%
 No application considered “Most Important” by a majority
 PKI is truly a horizontal, enabling technology with many applications
PKI Application Weights
Obstacles
 Participants given a list of obstacles and asked to rank each as:
– Major Obstacle
– Minor Obstacle
– Not an Obstacle
 Weight
– Similar to Application Weight (2 points for Major Obstacle, 1 for Minor)
– Write-in area for “Other” obstacles
 No obstacle was ranked “Not an Obstacle” by the majority, indicating all
were relevant
 Top two obstacles rated as “Major” by at least 50%, top six rated
“Major” by at least 40%
 92% indicated they would use PKI more if obstacles were removed.
 Responses consistent across demographics
PKI Obstacle Weights
Additional PKI Obstacles
August 2003 Follow-up Survey
 Goal
– Obtain detailed information needed to create Action Plan
 How
– Web-based survey deployed during August 2003
– Invitation distributed to June 2003 respondents
 Respondents
– 74 valid responses
– Demographics and opinions similar to previous survey
 Improved Ranking System
– Respondent given “budget” of 10 points, asked to allocate them among
choices
 Added
– Clarifying questions on obstacles
– Six “other” obstacles identified by respondents to June 2003 survey
– Request for suggestions on how to address top obstacles
Obstacles Ranked by Importance
Which Applications Most Critically
Need Improvements in PKI Support?
More on Application Support for PKI
 Application support is inconsistent
– Many applications have no PKI support
– When present, PKI support varies widely
– Interoperation is nearly impossible
 Common comments on how to address this problem
– Create guidelines for each type of application on how PKI support should be
implemented (like draft-ietf-ipsec-pki-profile-03.txt)
– Encourage OS vendors to include PKI features (e.g. smart card support)
Which Costs are Most Problematic?
More on Costs
 Many Kinds of Costs
 Common comments on how to address this problem
– Promote specific standards that avoid the need for customization
– Outsource
– Encourage free PKI software and free CAs for low-assurance applications
Which parties most need greater PKI
understanding?
More on PKI Understanding
 Common comments on how to address this problem
– Explain in non-technical terms the benefits, value, and ROI of PKI
– Explain when PKI is appropriate (or not)
– Provide a cookbook on deploying PKI
– All educational materials should be unbiased and freely available
Where do the Most Serious
Interoperability Problems Arise?
More on Interoperability Problems
 Standards are inadequate
– In some cases (e.g. certificate management) there are too many standards
– In others (as with smart cards) there are too few
– When present, standards are often too flexible and too complex
– Overly flexible and complex standards create an environment where
implementations from different vendors rarely interoperate
 Common comments on how to address this problem
– Create specific profiles of PKI standards, including application guidelines
– Provide interoperability testing, test suites, and certification
PKI Action Plan
 Status
– Draft in Public Review
– Asking all stakeholders (users, vendors, standards groups, and experts) to
review, comment on, and support the plan
– Plan to announce Action Plan formally in February 2004
 Features
– Develop specific application guidelines on PKI standards use
– Increase interoperability testing, possibly with branding and certification
– Ask application vendors what they need to provide PKI support
– Gather and/or enhance educational materials
A Call to Action
 Obstacles to PKI deployment and usage are an industry-wide problem
– The obstacles are widely agreed upon
– They hurt all of us (increasing costs, slowing down innovation, reducing
sales, reducing security)
 The PKI Action Plan is a Call to Action for the industry
– The PKI TC is passing on requests from hundreds of customers
– Implementing the PKI Action Plan will require cooperation from all of us
 The PKI TC plans to act as a catalyst and coordinator
– Helping the industry agree on problems and solutions
– Supporting and publicizing efforts already under way
– Encouraging new efforts
An Invitation
 PKI Stakeholders (users, vendors, etc.) are invited to:
– Review and comment on the draft PKI Action Plan
– Sign on to support the PKI Action Plan
– Join the OASIS PKI TC
 http://www.oasis-open.org/committees/pki
 [email protected]