[kictanet] [Skunkworks] Fwd: Kenya's PKI Destined for Failure?
Wambua, Christopher
Wambua at cck.go.ke
Fri Mar 22 13:15:26 EAT 2013
Warigia,
In my view, the assessment of CCK's performance in respect to Universal
Access Fund is not fair.
I say this because the legal framework for the Universal Service Fund
(USF) is barely three years old (i.e. the Kenya Information and
Communications Act of 2009 and the Kenya Information and Communications
Universal Access and Service Regulations of 2010). It is these pieces of
legislation that charge CCK with the responsibility of managing and
administering the Fund. From the date USF's legal instruments were put
in place, the issue of doing nothing in the last six years does not
arise. You will also recall that the Universal Service Access Committee
(USAC), which is mandated to advise the CCK Board on the management of
the Fund, was appointed in December 2012 by the Minister for Information
and Communications.
As it awaited the legal framework to be in place, CCK undertook a number
of preparatory activities for the implementation of USF. These include:
* Establishing a Statistical function within the Commission in
view of the need for up to date information on access and usage of ICT
to inform universal access planning. This is the Unit that prepares the
Quarterly Sector Statistics.
* Carrying out a number of studies to guide the implementation
of the Fund, including the National ICT Survey (2010/2011) and the ICT
Access Gaps Study (2011). The Survey was undertaken in conjunction with
the Kenya National Bureau of Statistics to provide baseline information
on the level of access and usage of ICTs at the household level in
Kenya. The Survey provides benchmark indicators against which to
measure the penetration of ICT services particularly through the USF.
It provided a key input into the ICTs Access Gap study of 2011
undertaken by APOYO Consultoria. The ICT Access Gap Study identified
areas that lacked access to voice, postal and data services and provide
cost estimates for closing the gaps. It has provided the basis for
identifying the areas requiring USF interventions and prioritizing
allocation of funds. These reports are available on the CCK website.
* Implementing a number of UA pilot projects whose experience will
be key in implementing national UA projects. The pilot projects include:
16 ICT Centers in Secondary Schools (2 in each province), 4 Community
Centers, 8 ICT Centers schools for PWDs (covering all secondary schools
for PwDs in Kenya), 10 e-Resource Centers within the Kenya National
Library Service outlets, E-health Project (in collaboration with the
Ministry of Health and Qualcomm Inc), Content Development that include
the Digitization of the Kenya Certificate of Secondary School (KCSE)
Form I and II curriculum by KIE and a Web Portal for Persons With
Disabilities (in partnership with the National Council for Persons with
Disabilities and United Disabled Persons of Kenya). These projects have
been funded largely by the Commission.
* From 2012 to date, the Commission has been developing USF
program concepts, projects prioritization criteria and USF Strategy with
technical support from USAID's Global Broadband Innovation (GBI)
programme. Again with support from the USAID, the Commission in
conjunction with the Ministry of Information and Communications, Kenya
ICT Board, E-Government Directorate, Vision 2030 Secretariat and
National Communications Secretariat and other stakeholders are
developing a National Broadband Strategy (NBS). This strategy is
important in the realization of universal access to broadband services
in Kenya.
Starting from July 2013, the Fund shall be brought into operation. In
this regard, all licensees shall be expected to begin remitting their
statutory contribution to the Fund. On its part, the Commission has set
aside Kshs1,000,000,000 as seed money for the USF.
I hope this sheds more light on this matter.
Wambua
From: kictanet
[mailto:kictanet-bounces+wambua=cck.go.ke at lists.kictanet.or.ke] On
Behalf Of Warigia Bowman
Sent: Thursday, March 21, 2013 4:50 PM
To: Wambua, Christopher
Cc: KICTAnet ICT Policy Discussions
Subject: Re: [kictanet][Skunkworks] Fwd: Kenya's PKI Destined for
Failure?
Dear Brian
Thank you for this very thoughtful discussion.
4. Inertia: CCK has proven to be very poor at the timely execution
of functions that fall outside their core mandate of licensing,
regulation and resource management. A perfect example is the
implementation of the Universal Service Fund, which CCK insisted on
handling as an inhouse function instead of facilitating the setup of a
dedicated entity to handle the task. It has been over 6 years since
regulation and legislation regarding the USF came into place and there
is still nothing to speak of. I will reserve this as a subject for
another day (it is a long and detailed one!)
Erm, am I the only one embarassed that all of our neighbors have a
functional USF, but Kenya does not?
Recommendations
The Government should immediately consider adopting a Public Private
Partnership approach for the implementation of Kenya's NPKI. This is
especially timely because we now have a fully ratified Public Private
Partnership Policy that provides a variety of models for project
implementation. This will not only ensure involvement from crucial
stakeholders but also free the Root Authority from the problems
highlighted above (and probably many others) while at the same time
ensuring that enough private sector energy and enthusiasm is infused
into the project so that it moves with speed and determination. Success
stories such as KENIC and TEAMS show that it is not only possible but
that it can be done with ease.
PPPs are the respected model for many kinds of endeavors, and this is a
very strong suggestion.
Yours, Warigia
On Thu, Mar 21, 2013 at 8:24 AM, Lucy Kimani <lkimani at yahoo.com> wrote:
Ali and Brian +1
CCK can be the CA for the government but there has to be Private Sector
based CAs as well to avoid conflict of interest. What may seem complex
when broken down may not be all that bad as evidenced in this paper:
http://www.articsoft.com/whitepapers/AustPKI03SMr2.pdf
I especially like the not always waiting for the government "The
business and Internet communities are not waiting for some over-arching
system to be put into
place by governments or agencies such as the UN. They are seizing
opportunities as they arise, putting in place systems that they trust
and selecting their own RCA - a PRIVATE RCA - if they select one at all.
An example of this is the Secure Electronic Transaction (SET) PKI
developed by Visa and MasterCard. Figure 4 represents the basic SET PKI
as identified by Ford & Baum. A new version of the SET protocol has
recently been introduced, sometimes referred to as 3DSET. It
expects to provide the customer with a provable digital receipt for a
transaction, establishing the formality of the contract between the
customer and the merchant, something that was lacking in the original
implementation."
VISA introduced 3D SET in 2000 to address issues with SET PKI.
3D SET simplifies the SET protocol into three domain Model:
1) acquirer domain,
2) issuer domain,
3) interoperability domain.
3D SET provide a flexible framework that allows banks and acquirers to
use their method to authenticate cardholders and merchants in a
transaction.
--- On Thu, 3/21/13, Ali Hussein <ali at hussein.me.ke> wrote:
From: Ali Hussein <ali at hussein.me.ke>
Subject: Re: [kictanet] [Skunkworks] Fwd: Kenya's PKI Destined for
Failure?
To: lkimani at yahoo.com
Cc: "KICTAnet ICT Policy Discussions" <kictanet at lists.kictanet.or.ke>
Date: Thursday, March 21, 2013, 7:24 AM
Adam +1
And I give Brian the highest commendation for highlighting this issue.
We must always try our level best to embrace the Multi-Stakeholder
regime because as much as sometimes it sound like we are in the Tower of
Babel ultimately the best solutions emerge (most of the time).
Regards
Ali Hussein
CEO, 3mice interactive media ltd
Partner, Telemedia Africa Ltd
Tel: +254713601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
Blog: www.alyhussein.com
On Thu, Mar 21, 2013 at 12:58 PM, Adam Nelson <adam at varud.com
<http://mc/[email protected]> > wrote:
I think Brian's original point is well taken. It's not ideal for a
Korean government agency to hold such important keys. However, Kenya
can't just start its own key without at least a few years of lead time
to get on a critical mass of browsers and operating systems by default
(although it should start now just to get the ball rolling). Finland
and Turkey have CAs (although Turkey's was famously hacked with
google.com signatures).
I would suggest that the certificate authority for this be one of the
most trusted and common commercial ones - Equifax. That's what Google
uses and because they're commercial, will probably be more responsive to
the needs of the government than a Koren agency.
-Adam
https://twitter.com/varud
https://www.linkedin.com/in/adamcnelson
On Thu, Mar 21, 2013 at 12:32 PM, Kivuva <Kivuva at transworldafrica.com
<http://mc/[email protected]> > wrote:
Good points from Brian and Evans.
I think the elephant in the room is CCK to be the Root
Certification Authority. PPP as Brian puts it might be the best way to
go, although it has its own challenges, as we saw last year when KENIC
was facing leadership challenges, and discord within the board. Other
channels might be to tender for local companies to bid to be the RCA.
This has worked very well in developed countries.
The issue of HR can be sorted if we are willing to empower our
youth, by say Knowledge Transfer. Unfortunately, these Asians are not
very keen in transferring such knowledge to the client side of the
business since they want to be indispensable. But we can be forceful,
and find ways to train people who will administer the NPKI system. We
currently have thousands of security experts in the country, and we are
willing to learn more.
Kind Regards.
--
______________________
Mwendwa Kivuva
_______________________________________________
skunkworks mailing list
skunkworks at lists.my.co.ke
<http://mc/[email protected]>
------------
List info, subscribe/unsubscribe
http://orion.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
<http://mc/[email protected]>
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at
https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.
com
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
for people and institutions interested and involved in ICT policy and
regulation. The network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth and
development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and
bandwidth, share knowledge, don't flame or abuse or personalize, respect
privacy, do not spam, do not market your wares or qualifications.
-----Inline Attachment Follows-----
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
<http://mc/[email protected]>
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at
https://lists.kictanet.or.ke/mailman/options/kictanet/lkimani%40yahoo.co
m
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
for people and institutions interested and involved in ICT policy and
regulation. The network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth and
development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and
bandwidth, share knowledge, don't flame or abuse or personalize, respect
privacy, do not spam, do not market your wares or qualifications.
_______________________________________________
kictanet mailing list
kictanet at lists.kictanet.or.ke
https://lists.kictanet.or.ke/mailman/listinfo/kictanet
Unsubscribe or change your options at
https://lists.kictanet.or.ke/mailman/options/kictanet/warigia%40gmail.co
m
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
for people and institutions interested and involved in ICT policy and
regulation. The network aims to act as a catalyst for reform in the ICT
sector in support of the national aim of ICT enabled growth and
development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors
online that you follow in real life: respect people's times and
bandwidth, share knowledge, don't flame or abuse or personalize, respect
privacy, do not spam, do not market your wares or qualifications.
--
Dr. Warigia Bowman
Assistant Professor
Clinton School of Public Service
University of Arkansas
wbowman at clintonschool.uasys.edu
-------------------------------------------------
View my research on my SSRN Author page:
http://ssrn.com/author=1479660
--------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20130322/c2ddca57/attachment.htm>
More information about the KICTANet
mailing list