[kictanet] Kenya¹s PKI Destined for Failure?

[Sammy Buruchara]

Listers,
Thank you all for the very healthy discussions regarding this important
subject.

I was privileged to attend a Technical workshop at ICT Board on the PKI
Master Plan and it was informative to be taken through the technical process
of the Master Plan and the  implications its setup.

Indeed Brian's concerns are valid and at this time it will be good to
interrogate various options in order to arrive at a suitable arrangement
that will work for Kenya.

Some of the key considerations in the setup of a Root CA would include the
following:
- the PKI infrastructure is related to a country's security and as such
would be a sensitive infrastructure that ideally should be operated and
owned by Kenyans through whatever appropriate vehicle. This would be a
national security candidate much as guarding our borders.
- The business dynamics of PKI is closely linked to growth in use of ICT and
especially as the government comes on board with e-gov services and the
commerce becomes mainstream. As such we would not see a dramatic uptake of
Certificates by organizations and individuals until we reach  a critical
mass in computing devices both conventional and smart phones. We may need to
combine both marketing and some level of legislation in key areas such as
banking to encourage users to come on board.
- KPI has very high Setup and operational costs (more than $8m initially).
The viability of such a project would be a major consideration and as such a
suitable vehicle with sufficient financing would need to be setup bearing in
mind that it may not initially make much money and would rely heavily on
funding from its shareholders.
-Security is an evolving issue and there will be a need for research and
development of cryptography to meet the changing needs of the country.  A
linkage with Academia will be important, and the setup of research centers
on security would wean us off  reliance on foreign expertise going forward.


My two cents.

Kind regards
Sammy

From:  Paul Kukubo <pkukubo at ict.go.ke>
Date:  Thursday, March 21, 2013 4:06 PM
To:  <buruchara at mac.com>
Cc:  KICTAnet ICT Policy Discussions <kictanet at lists.kictanet.or.ke>
Subject:  Re: [kictanet] Kenya¹s PKI Destined for Failure?

Listers

Let me attempt to paraphrase the questions raised in the email discussion.

1. Is CCK the best place to locate the root Certification Authority for
Public Key infrastructure for Kenya?
2. Should all projects be subjected to a multi-stakeholder process in their
implementation?

I dont want to propose answers prematurely because the spirit of the
discussion seems to that we keep an open an lively discussion that educates
our stakeholders.

When it comes to very technical projects, those of us that understand them
better will invariably drive the discussion. Perhaps a starting point would
be to ask. Do all the stakeholders feel they fully understand what we are
trying to achieve? I have asked my team at the office to re-circulate the
press release we issued yesterday.  we need to carry everyone along. Indeed
that' is the very essence of the workshop we had yesterday.

One thing I did mention during the launch of the National Cybersecurity
Masterplan a few weeks ago was that it is now time for stakeholders to
re-formalise their approach to providing input. ICT is a broad subject and
covers many varied sub-fields. It might help for a formal body of the
private  and development sector to be consulted formally on certain aspects
of projects. This way this formal body can also be held accountable to
members with respect to the inputs they provide.

The current approach works well when there is expertise on a certain
subject. But the weakness is there is a risk. opinion takes the place of
active engaged discovery. when the opinions are well informed we are better
for it. But sometimes we also need to feel that as public officials we can
call upon a structured group on an issue.

Brian Longwe's email comments are noted. He proposes proposes a separate
body to manage the Root CA. More views are welcome. Indeed that was the very
reason the meeting was convened.

Asante Sana

Paul Kukubo CEO, Kenya ICT Board

Paul Kukubo
Chief Executive Officer, Kenya ICT Board
PO Box 27150 - 00100
Nairobi, Kenya

12th Floor, Teleposta Towers Koinange Street

Tel +254 20 2089061, +254 20 2211960
Fax: +254 20 2211962
website: www.ict.go.ke <http://www.ict.go.ke>
local content project: www.tandaa.co.ke <http://www.tandaa.co.ke> ,
www.facebook.com/tandaakenya <http://www.facebook.com/tandaakenya>
twitter:@tandaaKENYA
BPO Project: www. doitinkenya.co.ke <http://doitinkenya.co.ke>
Digital Villages Project: www.pasha.co.ke <http://www.pasha.co.ke>


personal contacts
_______________

Cell: + 254 717 180001


skype: kukubopaul
googletalk: pkukubo
personal blog: www.paulkukubo.co.ke <http://www.paulkukubo.co.ke>
personal twitter: @pkukubo


____________________
Vision: Kenya becomes a top ten global ICT hub

Mission: To champion and actively enable Kenya to adopt and exploit ICT,
through promotion of partnerships, investments and infrastructure growth for
socio economic enrichment


On Wed, Mar 20, 2013 at 6:06 PM, Brian Munyao Longwe <blongwe at gmail.com>
wrote:
> Disclaimer: All the opinions expressed herein are my own.
> 
>                  
>  
> #140friday <http://140friday.com>  » Business <http://140friday.com/?cat=3>  »
> Politics <http://140friday.com/?cat=6>  » Technology
> <http://140friday.com/?cat=8>  » Kenya¹s PKI Destined for Failure?
>   March 20, 2013 
>  Kenya¹s PKI Destined for Failure?
>  
>                  
> 
> 
> Today I had the opportunity to attend a seminar organized by the Ministry of
> Information & Communications and Samsung SDS as part of the implementation of
> Kenya¹s National Public Key Infrastructure (NPKI). The project is undertaken
> within the framework of the Kenya Transparency & Communications Infrastructure
> Project (KTCIP), a World Bank funded initiative that will help Kenya achieve a
> number of the goals under the ICT pillar of Vision 2030.
> 
> The presentations from the team from Korea consisted of representatives of
> Samsung SDS (who won the International tender for Kenya¹s NPKI implementation)
> as well as representatives from some of the key actors in Korea¹s own NPKI.
> The Korean presentations were interesting, informative and very well prepared.
> Over the period of a few hours they were able to take the relatively complex
> subject of National Public Kenya Infrastructure and unpack it in a way that
> was both easy to understand as well as clear and straightforward. They left no
> shadow of doubt as to whether Samsung SDS can successfully implement this
> project. They also shared the organizational structure for the project, which
> is as follows:
> 
>  <http://140friday.com/wp-content/uploads/2013/03/CAM00454.jpg>
> 
> During the course of their presentations the team from Korea shared the high
> level plan for the implementation of Kenya¹s SDS. They made it clear that they
> had spent a good deal of time working closely with Government officials
> responsible from the Kenyan side.
> 
> In describing the structure and hierarchy that has proven successful in Korea
> for the implementation and operation of their NPKI, the team shared the
> following diagram.
> 
>  <http://140friday.com/wp-content/uploads/2013/03/CAM00455.jpg>
> 
> At the very top, there is the Ministry responsible for the NPKI, they provide
> the legal and regulatory framework, national authentication plan and other
> high level functions. Below them is the ³Root Certification Authority² an
> organization known as the Korea Internet Security Agency (KISA), which
> provides operation of the National Authentication system,
> licensing/accreditation of certificate authorities (CA) to provide service to
> the public as well as development of technical standards. Below them are the
> accredited CAs of which Korea has 5 who provide certificate issuance and
> management services to the public.
> 
> In a presentation which came later, the Korean team shared the proposed
> structure for the Kenyan implementation which had been arrived at after
> consultations with Government. The diagram is as follows.
> 
>  <http://140friday.com/wp-content/uploads/2013/03/CAM00457.jpg>
> 
> In this structure, Government who will be responsible for legal and regulatory
> framework, national authentication plan, other high level functions as well as
> licensing and auditing are to be represented by the Communications Commission
> of Kenya (CCK). Below them and responsible for operation of the Root
> Certification Authority is CCK. Below that are a proposed ³Government CA²
> which will issue certificates for Government agencies and employees and a
> proposed ³Private Sector CA² which will issue certificates to the rest of the
> country.
> 
> I have a big problem with this structure. First and foremost because CCK is
> being proposed as BOTH the licensing authority as well as the licensed
> operator of the Root Certification Authority. The potential for conflict of
> interest is immediately evident, not to mention the fact that the end-to-end
> integrity of a structure that ensures top-down accountability is rendered
> completely void. Even worse was the mumbled suggestions by some of the
> government participants at the seminar that CCK might also act as the
> Government CA. In addition that is the fact that a project as crucial as this
> has not gone through a proper stakeholder consultative process and is
> seemingly being shoved down our throats. In his closing remarks a director a
> the E-Government directorate asked the ICT Board to engage stakeholders
> further and receive input before moving too far.
> 
> I raised this point as a question during the Q & A session at the end of the
> seminar and would like to emphasise that it would be very wrong for CCK to be
> the Root Certification Authority for a number of reasons:
> 1. Conflict of Interest: As per the proposed structure the representative of
> Government, CCK needs to serve as the top level entity that handles the legal
> and regulatory framework and the national authentication plan. Adding a
> subsidiary role would not only compromise their integrity but would also
> expose them to all manner of challenges with regards to operation of an
> infrastructure that is supposed to be based on trust.
> 2. Procurement Issues: In sharing to a certain level of detail the complexity
> of the Root Authority setup, it became evident that there would be a
> continuous need for procurement of various goods and services. As a government
> agency, CCK is subject to public procurement regulations, this means that even
> very basic, small and simple items could take months if not years to procure.
> The problems with our public procurement are well known. Subjecting the Root
> Authority to this kind of environment is in itself a major risk for successful
> implementation and operation.
> 3. Human Resource Issues: Several times in their presentations the Koreans
> complained that they had observed a critical lack of human resources. They
> emphasized that they were not referring to skilled human resources but simply
> to enough people for the project requirements. Shock of shocks! With the
> incredible numbers of well educated Kenyans who are unemployed or
> underemployed? They could obviously have only been referring to what they had
> seen as far as the people available for the project from the Ministry and CCK.
> It is no secret that CCK has extremely limited human resources in their ICT
> division and those few are oveworked, stretched beyond measure and juggling
> multipe roles. Isn¹t adding additional responsibilities into this mix a
> formula for disaster?
> 4. Inertia: CCK has proven to be very poor at the timely execution of
> functions that fall outside their core mandate of licensing, regulation and
> resource management. A perfect example is the implementation of the Universal
> Service Fund, which CCK insisted on handling as an inhouse function instead of
> facilitating the setup of a dedicated entity to handle the task. It has been
> over 6 years since regulation and legislation regarding the USF came into
> place and there is still nothing to speak of. I will reserve this as a subject
> for another day (it is a long and detailed one!)
> Recommendations
> 
> The Government should immediately consider adopting a Public Private
> Partnership approach for the implementation of Kenya¹s NPKI. This is
> especially timely because we now have a fully ratified Public Private
> Partnership Policy that provides a variety of models for project
> implementation. This will not only ensure involvement from crucial
> stakeholders but also free the Root Authority from the problems highlighted
> above (and probably many others) while at the same time ensuring that enough
> private sector energy and enthusiasm is infused into the project so that it
> moves with speed and determination. Success stories such as KENIC and TEAMS
> show that it is not only possible but that it can be done with ease.
> 
> 
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> 
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/pkukubo%40ict.go.ke
> 
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for
> people and institutions interested and involved in ICT policy and regulation.
> The network aims to act as a catalyst for reform in the ICT sector in support
> of the national aim of ICT enabled growth and development.
> 
> KICTANetiquette : Adhere to the same standards of acceptable behaviors online
> that you follow in real life: respect people's times and bandwidth, share
> knowledge, don't flame or abuse or personalize, respect privacy, do not spam,
> do not market your wares or qualifications.

_______________________________________________ kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet Unsubscribe or change
your options at 
https://lists.kictanet.or.ke/mailman/options/kictanet/buruchara%40mac.com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for
people and institutions interested and involved in ICT policy and
regulation. The network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and bandwidth,
share knowledge, don't flame or abuse or personalize, respect privacy, do
not spam, do not market your wares or qualifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20130321/70949dbd/attachment.htm>