1 / 17

OASIS PKI TC: Identifying and Overcoming Obstacles to PKI Deployment and Usage

OASIS PKI TC: Identifying and Overcoming Obstacles to PKI Deployment and Usage. Jean Pawluk (Inovant) & Steve Hanna (Sun) April 2004. Acknowledgements . OASIS Public Key Infrastructure Technical Committee - A dedicated group of PKI technology “early adopters” including. Assumptions.

konala
Download Presentation

OASIS PKI TC: Identifying and Overcoming Obstacles to PKI Deployment and Usage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OASIS PKI TC: Identifying and Overcoming Obstacles to PKI Deployment and Usage Jean Pawluk (Inovant) & Steve Hanna (Sun) April 2004

  2. Acknowledgements OASIS Public Key Infrastructure Technical Committee - A dedicated group of PKI technology “early adopters” including

  3. Assumptions • Public Key Infrastructure (PKI) is a fundamental security technology • PKI’s promise as a foundation technology is challenged by its very complexity & the costs of deployment. • OASIS PKI Technical Committee was formed in January 2003 to tackle the issue of how to successfully deploy and use Public Key Infrastructure

  4. The Surveys • If PKI is such a useful technology why isn’t more widely used ? • PKI TC wanted more objective viewpoints: • Two surveys commissioned: • June 2003 - Initial Survey • August 2003 - Detailed Survey

  5. The Approach • Survey invitations sent to organizations and email discussion lists dedicated to PKI. • The 216 survey respondents are a group of experienced group of industry professionals with serious PKI experience. • Over 90% of the respondents have either deployed or developed PKI software

  6. Obstacles: Ranked by Importance The first four obstacles have more than half of the total points

  7. Applications: Ranked by Need for Improvements in PKI Support • Support for PKI is inconsistent. • Often, it’s missing from applications and operating systems or if present, it differs widely in what’s supported. • Current PKI standards are inadequate • . In some area (as with certificate management there are too many standards. In others (e.g. smart cards), there are too few

  8. Costs Ranked by Most Problematic

  9. Parties: Ranked by Greatest Need for PKI Understanding Few understand what is the value of PKI

  10. Where the Most Serious Interoperability Problems Arise Frustration level with PKI results from attempts to implement and having serious interoperability problems

  11. PKI Call to Action - 1 • Develop Application Guidelines for PKI Use • Create specific guidelines for three most popular PKI applications describing how the standards should be used for this application. • Document Signing, • Secure Email • Electronic Commerce • These guidelines should be simple and clear enough that if vendors and customers implement them properly, PKI interoperability can be achieved.

  12. PKI Call to Action - 2 • Increase Testing to Improve Interoperability • Provide conformance test suites, interoperability tests, and testing events for the three most popular applications • Document Signing • Secure Email • Electronic Commerce • Certificate management protocols and smart card compatibility are a concern. • Branding and certification may be desirable.

  13. PKI Call to Action - 3 • Ask Application Vendors What They Need • Ask application vendors to tell us what they need to provide better PKI support. • Explore how these needs (e.g. for quantified customer demand or good support libraries) can be met.

  14. PKI Call to Action - 4 • Gather and Supplement Educational Materials on PKI • Explain in non-technical terms the benefits, value, • ROI, and risk management effects of PKI. • Include specific examples of PKI applications with real benefits and ROI. • Explain when PKI is appropriate (or not).

  15. PKI Call to Action - 5 • Explore Ways to Lower Costs • Reduce cost as a barrier to the use of PKI. • Encourage the software development community • (including the open source community) to provide options for organizations to conduct small pilots & tests of PKI at reasonable cost. • Operating production PKI involves many costs other than software acquisition • Gather “best practices” for cost reduction in PKI deployments.

  16. Join Us … OASIS Public Key Infrastructure Technical Committee has begun implementation of its PKI Action Plan http://www.oasis-open.org/committees/pki/pkiactionplan.pdf

  17. End Users Viewpoint • Who do you trust ? • Legal Contracts & Assumed Risk • Liability Issues • Identity Binding • Cross Chaining vs. Closed Systems Validation

More Related