Obstacles to PKI Deployment and Usage -
Download
Report
Transcript Obstacles to PKI Deployment and Usage -
Obstacles to PKI Deployment and Usage Survey Results and Draft Action Plan
Steve Hanna, Co-chair, OASIS PKI TC
Agenda
OASIS PKI Technical Committee
Survey Results on Obstacles to PKI Deployment and Usage
PKI Action Plan
Invitation
OASIS PKI Technical Committee
Vital Statistics
– Formed January 2003, successor to PKI Forum
– 15 Voting Members: PKI customers, vendors, and experts
– Open to any OASIS member
Objective
– Address issues related to successful deployment of digital certificates
Plan
– Identify primary obstacles to PKI deployment and usage
– Develop PKI Action Plan to address these obstacles
– Improve and build support for PKI Action Plan
– Coordinate implementation of PKI Action Plan
OASIS PKI TC Role
– Catalyst and coordinator for addressing PKI obstacles
– Not a standards group or trade group
June 2003 Survey on PKI Obstacles
Goal
– Identify primary obstacles to PKI Deployment and Usage
How
– Web-based survey deployed June 9 to 22, 2003
– Invitation distributed through PKI standards bodies, trade groups, user
associations, etc.
Respondents
– 216 valid responses, many with careful text comments
– 44% IT management and staff, remainder developers, consultants, etc.
– Primary Work Location: 61% North America, 24% Europe, 6% Asia
– Over 75% with 5 or more years experience in InfoSec/Privacy
– 90% either helped deploy PKI or developed PKI-related software
Applications
Participants asked to rate various PKI supported applications as:
– Most Important
– Important
– Not Important
Weight
– 2 points for Most Important, 1 point for Important
– Weight is average for all responses
– Respondents allowed to enter and rank “Other” applications
All applications except Secure RPC considered at least “Important” by
over 50%
No application considered “Most Important” by a majority
PKI is truly a horizontal, enabling technology with many applications
PKI Application Weights
Obstacles
Participants given a list of obstacles and asked to rank each as:
– Major Obstacle
– Minor Obstacle
– Not an Obstacle
Weight
– Similar to Application Weight (2 points for Major Obstacle, 1 for Minor)
– Write-in area for “Other” obstacles
No obstacle was ranked “Not an Obstacle” by the majority, indicating all
were relevant
Top two obstacles rated as “Major” by at least 50%, top six rated
“Major” by at least 40%
92% indicated they would use PKI more if obstacles were removed.
Responses consistent across demographics
PKI Obstacle Weights
Additional PKI Obstacles
August 2003 Follow-up Survey
Goal
– Obtain detailed information needed to create Action Plan
How
– Web-based survey deployed during August 2003
– Invitation distributed to June 2003 respondents
Respondents
– 74 valid responses
– Demographics and opinions similar to previous survey
Improved Ranking System
– Respondent given “budget” of 10 points, asked to allocate them among
choices
Added
– Clarifying questions on obstacles
– Six “other” obstacles identified by respondents to June 2003 survey
– Request for suggestions on how to address top obstacles
Obstacles Ranked by Importance
Which Applications Most Critically
Need Improvements in PKI Support?
More on Application Support for PKI
Application support is inconsistent
– Many applications have no PKI support
– When present, PKI support varies widely
– Interoperation is nearly impossible
Common comments on how to address this problem
– Create guidelines for each type of application on how PKI support should be
implemented (like draft-ietf-ipsec-pki-profile-03.txt)
– Encourage OS vendors to include PKI features (e.g. smart card support)
Which Costs are Most Problematic?
More on Costs
Many Kinds of Costs
Common comments on how to address this problem
– Promote specific standards that avoid the need for customization
– Outsource
– Encourage free PKI software and free CAs for low-assurance applications
Which parties most need greater PKI
understanding?
More on PKI Understanding
Common comments on how to address this problem
– Explain in non-technical terms the benefits, value, and ROI of PKI
– Explain when PKI is appropriate (or not)
– Provide a cookbook on deploying PKI
– All educational materials should be unbiased and freely available
Where do the Most Serious
Interoperability Problems Arise?
More on Interoperability Problems
Standards are inadequate
– In some cases (e.g. certificate management) there are too many standards
– In others (as with smart cards) there are too few
– When present, standards are often too flexible and too complex
– Overly flexible and complex standards create an environment where
implementations from different vendors rarely interoperate
Common comments on how to address this problem
– Create specific profiles of PKI standards, including application guidelines
– Provide interoperability testing, test suites, and certification
PKI Action Plan
Status
– Draft in Public Review
– Asking all stakeholders (users, vendors, standards groups, and experts) to
review, comment on, and support the plan
– Plan to announce Action Plan formally in February 2004
Features
– Develop specific application guidelines on PKI standards use
– Increase interoperability testing, possibly with branding and certification
– Ask application vendors what they need to provide PKI support
– Gather and/or enhance educational materials
A Call to Action
Obstacles to PKI deployment and usage are an industry-wide problem
– The obstacles are widely agreed upon
– They hurt all of us (increasing costs, slowing down innovation, reducing
sales, reducing security)
The PKI Action Plan is a Call to Action for the industry
– The PKI TC is passing on requests from hundreds of customers
– Implementing the PKI Action Plan will require cooperation from all of us
The PKI TC plans to act as a catalyst and coordinator
– Helping the industry agree on problems and solutions
– Supporting and publicizing efforts already under way
– Encouraging new efforts
An Invitation
PKI Stakeholders (users, vendors, etc.) are invited to:
– Review and comment on the draft PKI Action Plan
– Sign on to support the PKI Action Plan
– Join the OASIS PKI TC
http://www.oasis-open.org/committees/pki
[email protected]