<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Listers,</div><div>Thank you all for the very healthy discussions regarding this important subject.</div><div><br></div><div>I was privileged to attend a Technical workshop at ICT Board on the PKI Master Plan and it was informative to be taken through the technical process of the Master Plan and the implications its setup.</div><div><br></div><div>Indeed Brian's concerns are valid and at this time it will be good to interrogate various options in order to arrive at a suitable arrangement that will work for Kenya.</div><div><br></div><div>Some of the key considerations in the setup of a Root CA would include the following:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>- the PKI infrastructure is related to a country's security and as such would be a sensitive infrastructure that ideally should be operated and owned by Kenyans through <span class="Apple-tab-span" style="white-space:pre"> </span>whatever appropriate vehicle. This would be a national security candidate much as guarding our borders.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>- The business dynamics of PKI is closely linked to growth in use of ICT and especially as the government comes on board with e-gov services and the commerce becomes mainstream. As such we would not see a dramatic uptake of Certificates by organizations and individuals until we reach a critical mass in computing devices both conventional and smart phones. We may need to combine both marketing and some level of legislation in key areas such as banking to encourage users to come on board.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>- KPI has very high Setup and operational costs (more than $8m initially). The viability of such a project would be a major consideration and as such a suitable vehicle with sufficient financing would need to be setup bearing in mind that it may not initially make much money and would rely heavily on funding from its shareholders.</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>-Security is an evolving issue and there will be a need for research and development of cryptography to meet the changing needs of the country. A linkage with Academia will be important, and the setup of research centers on security would wean us off reliance on foreign expertise going forward.</div><div><br></div><div><br></div><div>My two cents.</div><div><br></div><div>Kind regards</div><div>Sammy</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Paul Kukubo <<a href="mailto:pkukubo@ict.go.ke">pkukubo@ict.go.ke</a>><br><span style="font-weight:bold">Date: </span> Thursday, March 21, 2013 4:06 PM<br><span style="font-weight:bold">To: </span> <<a href="mailto:buruchara@mac.com">buruchara@mac.com</a>><br><span style="font-weight:bold">Cc: </span> KICTAnet ICT Policy Discussions <<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a>><br><span style="font-weight:bold">Subject: </span> Re: [kictanet] Kenya’s PKI Destined for Failure?<br></div><div><br></div><div dir="ltr">Listers<div><br></div><div style="">Let me attempt to paraphrase the questions raised in the email discussion.</div><div style=""><br></div><div style="">1. Is CCK the best place to locate the root Certification Authority for Public Key infrastructure for Kenya? </div><div style="">2. Should all projects be subjected to a multi-stakeholder process in their implementation?</div><div style=""><br></div><div style="">I dont want to propose answers prematurely because the spirit of the discussion seems to that we keep an open an lively discussion that educates our stakeholders.</div><div style=""><br></div><div style="">When it comes to very technical projects, those of us that understand them better will invariably drive the discussion. Perhaps a starting point would be to ask. Do all the stakeholders feel they fully understand what we are trying to achieve? I have asked my team at the office to re-circulate the press release we issued yesterday. we need to carry everyone along. Indeed that' is the very essence of the workshop we had yesterday.</div><div style=""><br></div><div style="">One thing I did mention during the launch of the National Cybersecurity Masterplan a few weeks ago was that it is now time for stakeholders to re-formalise their approach to providing input. ICT is a broad subject and covers many varied sub-fields. It might help for a formal body of the private and development sector to be consulted formally on certain aspects of projects. This way this formal body can also be held accountable to members with respect to the inputs they provide.</div><div style=""><br></div><div style="">The current approach works well when there is expertise on a certain subject. But the weakness is there is a risk. opinion takes the place of active engaged discovery. when the opinions are well informed we are better for it. But sometimes we also need to feel that as public officials we can call upon a structured group on an issue. </div><div style=""><br></div><div style="">Brian Longwe's email comments are noted. He proposes proposes a separate body to manage the Root CA. More views are welcome. Indeed that was the very reason the meeting was convened.</div><div style=""><br></div><div style="">Asante Sana</div><div style=""><br></div><div style="">Paul Kukubo CEO, Kenya ICT Board</div></div><div class="gmail_extra"><br clear="all"><div>Paul Kukubo<br>Chief Executive Officer, Kenya ICT Board<br>
PO Box 27150 - 00100<br>Nairobi, Kenya<br><br>12th Floor, Teleposta Towers Koinange Street<br><br>Tel +254 20 2089061, +254 20 2211960 <br>Fax: +254 20 2211962<br>website: <a href="http://www.ict.go.ke">www.ict.go.ke</a><br>
local content project: <a href="http://www.tandaa.co.ke">www.tandaa.co.ke</a>, <a href="http://www.facebook.com/tandaakenya">www.facebook.com/tandaakenya</a><br>twitter:@tandaaKENYA<br>BPO Project: www. <a href="http://doitinkenya.co.ke">doitinkenya.co.ke</a><br>
Digital Villages Project: <a href="http://www.pasha.co.ke">www.pasha.co.ke</a><br><br><br>personal contacts<br>_______________<br><br>Cell: + 254 717 180001<br><br><br>skype: kukubopaul<br>googletalk: pkukubo<br>personal blog: <a href="http://www.paulkukubo.co.ke">www.paulkukubo.co.ke</a><br>
personal twitter: @pkukubo<br><br><br>____________________<br>Vision: Kenya becomes a top ten global ICT hub<br><br>Mission: To champion and actively enable Kenya to adopt and exploit ICT, through promotion of partnerships, investments and infrastructure growth for socio economic enrichment </div><br><br><div class="gmail_quote">On Wed, Mar 20, 2013 at 6:06 PM, Brian Munyao Longwe <span dir="ltr"><<a href="mailto:blongwe@gmail.com" target="_blank">blongwe@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Disclaimer: All the opinions expressed herein are my own.<br><br>
<div>
<div><a href="http://140friday.com" target="_blank">#140friday</a> » <a href="http://140friday.com/?cat=3" title="View all posts in Business" target="_blank">Business</a> » <a href="http://140friday.com/?cat=6" title="View all posts in Politics" target="_blank">Politics</a> » <a href="http://140friday.com/?cat=8" title="View all posts in Technology" target="_blank">Technology</a> » Kenya’s PKI Destined for Failure?</div>
<span>March 20, 2013</span>
</div><div><div><h1>
Kenya’s PKI Destined for Failure? </h1>
</div>
</div><br><p>Today I had the opportunity to
attend a seminar organized by the Ministry of Information &
Communications and Samsung SDS as part of the implementation of Kenya’s
National Public Key Infrastructure (NPKI). The project is undertaken
within the framework of the Kenya Transparency & Communications
Infrastructure Project (KTCIP), a World Bank funded initiative that will
help Kenya achieve a number of the goals under the ICT pillar of Vision
2030.</p><p>The presentations from the team from Korea consisted of
representatives of Samsung SDS (who won the International tender for
Kenya’s NPKI implementation) as well as representatives from some of the
key actors in Korea’s own NPKI. The Korean presentations were
interesting, informative and very well prepared. Over the period of a
few hours they were able to take the relatively complex subject of
National Public Kenya Infrastructure and unpack it in a way that was
both easy to understand as well as clear and straightforward. They left
no shadow of doubt as to whether Samsung SDS can successfully implement
this project. They also shared the organizational structure for the
project, which is as follows:</p><p><a href="http://140friday.com/wp-content/uploads/2013/03/CAM00454.jpg" target="_blank"><img alt="CAM00454" height="472" width="630"></a></p><p>During the course of their presentations the team from Korea shared
the high level plan for the implementation of Kenya’s SDS. They made it
clear that they had spent a good deal of time working closely with
Government officials responsible from the Kenyan side.</p><p>In describing the structure and hierarchy that has proven successful
in Korea for the implementation and operation of their NPKI, the team
shared the following diagram.</p><p><a href="http://140friday.com/wp-content/uploads/2013/03/CAM00455.jpg" target="_blank"><img alt="CAM00455" height="472" width="630"></a></p><p>At the very top, there is the Ministry responsible for the NPKI, they
provide the legal and regulatory framework, national authentication
plan and other high level functions. Below them is the “Root
Certification Authority” an organization known as the Korea Internet
Security Agency (KISA), which provides operation of the National
Authentication system, licensing/accreditation of certificate
authorities (CA) to provide service to the public as well as development
of technical standards. Below them are the accredited CAs of which
Korea has 5 who provide certificate issuance and management services to
the public.</p><p>In a presentation which came later, the Korean team shared the
proposed structure for the Kenyan implementation which had been arrived
at after consultations with Government. The diagram is as follows.</p><p><a href="http://140friday.com/wp-content/uploads/2013/03/CAM00457.jpg" target="_blank"><img alt="CAM00457" height="472" width="630"></a></p><p>In this structure, Government who will be responsible for legal and
regulatory framework, national authentication plan, other high level
functions as well as licensing and auditing are to be represented by the
Communications Commission of Kenya (CCK). Below them and responsible
for operation of the Root Certification Authority is CCK. Below that are
a proposed “Government CA” which will issue certificates for Government
agencies and employees and a proposed “Private Sector CA” which will
issue certificates to the rest of the country.</p><p>I have a big problem with this structure. First and foremost because
CCK is being proposed as BOTH the licensing authority as well as the
licensed operator of the Root Certification Authority. The potential for
conflict of interest is immediately evident, not to mention the fact
that the end-to-end integrity of a structure that ensures top-down
accountability is rendered completely void. Even worse was the mumbled
suggestions by some of the government participants at the seminar that
CCK might also act as the Government CA. In addition that is the fact that a project as crucial as this has not gone through a proper stakeholder consultative process and is seemingly being shoved down our throats. In his closing remarks a director a the E-Government directorate asked the ICT Board to engage stakeholders further and receive input before moving too far.<br></p><p>I raised this point as a question during the Q & A session at the
end of the seminar and would like to emphasise that it would be <strong>very wrong</strong> for CCK to be the Root Certification Authority for a number of reasons:</p><ol><li><strong>Conflict of Interest:</strong> As per the proposed structure
the representative of Government, CCK needs to serve as the top level
entity that handles the legal and regulatory framework and the national
authentication plan. Adding a subsidiary role would not only compromise
their integrity but would also expose them to all manner of challenges
with regards to operation of an infrastructure that is supposed to be
based on trust.</li><li><strong>Procurement Issues:</strong> In sharing to a certain level
of detail the complexity of the Root Authority setup, it became evident
that there would be a continuous need for procurement of various goods
and services. As a government agency, CCK is subject to public
procurement regulations, this means that even very basic, small and
simple items could take months if not years to procure. The problems
with our public procurement are well known. Subjecting the Root
Authority to this kind of environment is in itself a major risk for
successful implementation and operation.</li><li><strong>Human Resource Issues:</strong> Several times in their
presentations the Koreans complained that they had observed a critical
lack of human resources. They emphasized that they were not referring to
<em><strong>skilled</strong></em> human resources but simply to <em><strong>enough people</strong></em>
for the project requirements. Shock of shocks! With the incredible
numbers of well educated Kenyans who are unemployed or underemployed?
They could obviously have only been referring to what they had seen as
far as the people available for the project from the Ministry and CCK.
It is no secret that CCK has extremely limited human resources in their
ICT division and those few are oveworked, stretched beyond measure and
juggling multipe roles. Isn’t adding additional responsibilities into
this mix a formula for disaster?</li><li><strong>Inertia</strong>: CCK has proven to be very poor at the
timely execution of functions that fall outside their core mandate of
licensing, regulation and resource management. A perfect example is the
implementation of the Universal Service Fund, which CCK insisted on
handling as an inhouse function instead of facilitating the setup of a
dedicated entity to handle the task. It has been over 6 years since
regulation and legislation regarding the USF came into place and there
is still nothing to speak of. I will reserve this as a subject for
another day (it is a long and detailed one!)</li></ol><p><strong>Recommendations</strong></p><p>The Government should immediately consider adopting a <strong>Public Private Partnership</strong>
approach for the implementation of Kenya’s NPKI. This is especially
timely because we now have a fully ratified Public Private Partnership
Policy that provides a variety of models for project implementation.
This will not only ensure involvement from crucial stakeholders but also
free the Root Authority from the problems highlighted above (and
probably many others) while at the same time ensuring that enough
private sector energy and enthusiasm is infused into the project so that
it moves with speed and determination. Success stories such as KENIC
and TEAMS show that it is not only possible but that it can be done with
ease.</p><br><br>_______________________________________________<br>
kictanet mailing list<br><a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a><br><a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet" target="_blank">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a><br><br>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/pkukubo%40ict.go.ke" target="_blank">https://lists.kictanet.or.ke/mailman/options/kictanet/pkukubo%40ict.go.ke</a><br><br>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.<br><br>
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.<br></blockquote></div><br></div>
_______________________________________________
kictanet mailing list
<a href="mailto:kictanet@lists.kictanet.or.ke">kictanet@lists.kictanet.or.ke</a>
<a href="https://lists.kictanet.or.ke/mailman/listinfo/kictanet">https://lists.kictanet.or.ke/mailman/listinfo/kictanet</a>
Unsubscribe or change your options at <a href="https://lists.kictanet.or.ke/mailman/options/kictanet/buruchara%40mac.com">https://lists.kictanet.or.ke/mailman/options/kictanet/buruchara%40mac.com</a>
The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform for people and institutions interested and involved in ICT policy and regulation. The network aims to act as a catalyst for reform in the ICT sector in support of the national aim of ICT enabled growth and development.
KICTANetiquette : Adhere to the same standards of acceptable behaviors online that you follow in real life: respect people's times and bandwidth, share knowledge, don't flame or abuse or personalize, respect privacy, do not spam, do not market your wares or qualifications.</span></body></html>