Obstacles to PKI Deployment and Usage - Survey Results and Draft Action Plan

Steve Hanna, Co-chair, OASIS PKI TC

                 

                

 

Agenda

OASIS PKI Technical Committee Survey Results on Obstacles to PKI Deployment and Usage PKI Action Plan Invitation

                

 

OASIS PKI Technical Committee

Vital Statistics– Formed January 2003, successor to PKI Forum– 15 Voting Members: PKI customers, vendors, and experts– Open to any OASIS member

Objective– Address issues related to successful deployment of digital certificates

Plan– Identify primary obstacles to PKI deployment and usage– Develop PKI Action Plan to address these obstacles– Improve and build support for PKI Action Plan– Coordinate implementation of PKI Action Plan

OASIS PKI TC Role– Catalyst and coordinator for addressing PKI obstacles– Not a standards group or trade group

                

 

June 2003 Survey on PKI Obstacles

Goal– Identify primary obstacles to PKI Deployment and Usage

How– Web-based survey deployed June 9 to 22, 2003– Invitation distributed through PKI standards bodies, trade groups, user

associations, etc. Respondents

– 216 valid responses, many with careful text comments– 44% IT management and staff, remainder developers, consultants, etc.– Primary Work Location: 61% North America, 24% Europe, 6% Asia– Over 75% with 5 or more years experience in InfoSec/Privacy– 90% either helped deploy PKI or developed PKI-related software

                

 

Applications Participants asked to rate various PKI supported applications as:

– Most Important– Important– Not Important

Weight– 2 points for Most Important, 1 point for Important– Weight is average for all responses– Respondents allowed to enter and rank “Other” applications

All applications except Secure RPC considered at least “Important” by over 50%

No application considered “Most Important” by a majority PKI is truly a horizontal, enabling technology with many applications

                

 

PKI Application Weights

                

 

Obstacles

Participants given a list of obstacles and asked to rank each as:– Major Obstacle– Minor Obstacle– Not an Obstacle

Weight– Similar to Application Weight (2 points for Major Obstacle, 1 for Minor)– Write-in area for “Other” obstacles

No obstacle was ranked “Not an Obstacle” by the majority, indicating all were relevant

Top two obstacles rated as “Major” by at least 50%, top six rated “Major” by at least 40%

92% indicated they would use PKI more if obstacles were removed. Responses consistent across demographics

                

 

PKI Obstacle Weights

                

 

Additional PKI Obstacles

                

 

August 2003 Follow-up Survey

Goal– Obtain detailed information needed to create Action Plan

How– Web-based survey deployed during August 2003– Invitation distributed to June 2003 respondents

Respondents– 74 valid responses– Demographics and opinions similar to previous survey

Improved Ranking System– Respondent given “budget” of 10 points, asked to allocate them among

choices Added

– Clarifying questions on obstacles– Six “other” obstacles identified by respondents to June 2003 survey– Request for suggestions on how to address top obstacles

                

 

Obstacles Ranked by Importance

                

 

Which Applications Most Critically Need Improvements in PKI Support?

                

 

More on Application Support for PKI

Application support is inconsistent– Many applications have no PKI support– When present, PKI support varies widely– Interoperation is nearly impossible

Common comments on how to address this problem– Create guidelines for each type of application on how PKI support should be

implemented (like draft-ietf-ipsec-pki-profile-03.txt)– Encourage OS vendors to include PKI features (e.g. smart card support)

                

 

Which Costs are Most Problematic?

                

 

More on Costs

Many Kinds of Costs

Common comments on how to address this problem– Promote specific standards that avoid the need for customization– Outsource– Encourage free PKI software and free CAs for low-assurance applications

                

 

Which parties most need greater PKI understanding?

                

 

More on PKI Understanding

Common comments on how to address this problem– Explain in non-technical terms the benefits, value, and ROI of PKI– Explain when PKI is appropriate (or not)– Provide a cookbook on deploying PKI– All educational materials should be unbiased and freely available

                

 

Where do the Most Serious Interoperability Problems Arise?

                

 

More on Interoperability Problems

Standards are inadequate– In some cases (e.g. certificate management) there are too many standards– In others (as with smart cards) there are too few– When present, standards are often too flexible and too complex– Overly flexible and complex standards create an environment where

implementations from different vendors rarely interoperate

Common comments on how to address this problem– Create specific profiles of PKI standards, including application guidelines– Provide interoperability testing, test suites, and certification

                

 

PKI Action Plan

Status– Draft in Public Review– Asking all stakeholders (users, vendors, standards groups, and experts) to

review, comment on, and support the plan– Plan to announce Action Plan formally in February 2004

Features– Develop specific application guidelines on PKI standards use– Increase interoperability testing, possibly with branding and certification– Ask application vendors what they need to provide PKI support– Gather and/or enhance educational materials

                

 

A Call to Action

Obstacles to PKI deployment and usage are an industry-wide problem– The obstacles are widely agreed upon– They hurt all of us (increasing costs, slowing down innovation, reducing

sales, reducing security)

The PKI Action Plan is a Call to Action for the industry– The PKI TC is passing on requests from hundreds of customers– Implementing the PKI Action Plan will require cooperation from all of us

The PKI TC plans to act as a catalyst and coordinator– Helping the industry agree on problems and solutions– Supporting and publicizing efforts already under way– Encouraging new efforts

                

 

An Invitation

PKI Stakeholders (users, vendors, etc.) are invited to:– Review and comment on the draft PKI Action Plan– Sign on to support the PKI Action Plan– Join the OASIS PKI TC

http://www.oasis-open.org/committees/pki

pki-tc-chair@lists.oasis-open.org