This Working Group Charter has been created according to the “Working Groups” section of the Bylaws of the PKI Consortium (“PKIC”). In the event of a conflict between this Charter and any provision in either the Bylaws or the IPR Policy, the provision in the Bylaws or IPR Policy shall take precedence.
Summary of the Working Group
| Summary | |
|---|---|
| Name | PKI Maturity Model |
| Abbreviation | PKIMM |
| Mission | To build a PKI maturity model that will be recognized around the globe as a standard for evaluation, planning, and comparison between different PKI implementations |
| Chair(s) | Roman Cinkais (3Key Company) |
| Communication | Private mailing list, Virtual meetings, Community discussions, GitHub |
| Meeting schedule | Virtual meetings: approximately 1 per month |
| Membership eligibility | All Member types of the PKIC that express the interest in this Working Group |
| Voting structure | According to the PKIC Bylaws |
| Expiration | This Working Group is chartered indefinitely until it is dissolved |
| Members | 3Key Company, Ascertia, ComSign, DirectTrust, Entrust, Eval, Federal Public Key Infrastructure (FPKI), i4p informatics, Information Security Corporation (ISC), Keyfactor, Logius, SEALWeb, SSL.com, Sunnic, TrustAsia, TrustSEC, |
Introduction
There is currently no standardized and globally recognized maturity model for PKI. Some available models are very specific and built on top of frameworks like Capability Maturity Model Integration (CMMI), working for specific purposes of the consulting companies.
Our goal is to build a PKI maturity model that will be recognized around the globe as a standard for evaluation, planning, and comparison between different PKI implementations. It can also serve as a basis for additional services connected with the model, like PKI maturity assessment, or implementation and action plans definition for PKI environments. These activities can be extended to any interested parties outside of the PKIC.
The PKI maturity model and assessment methodology will be used as an entry point for anyone evaluating PKI environment by itself or using an independent third party.
The adoption of the PKI maturity model must be very easy and therefore the model must be very clear and understandable by different PKI environments, use-cases, industries, and open, available for anyone to use it. Assessment methodology will be developed to support on-site and automated assessment.
Scope
The scope of this Working Group is to:
- Define and maintain the PKI maturity model with applicable categories and maturity levels
- Define and maintain the PKI maturity assessment methodology including assessment report
- Collect feedback from participants and interested parties regarding the PKI maturity model and assessment process
- Collaborate on reviews of the PKI maturity model, such as model revisions and feedback from participants and interested parties
- Create assessment tools and applications to support the assessment process
Out of scope is:
- Performing assessment of the PKI
Objectives and goals
The objective is to provide a definition of the PKI maturity model and what is the maturity assessment process and procedures to rate the current maturity level according to the model and possibility to track progress for any organization and users of the PKI, independently of the size and use-case.
It should also serve as a basis for the development of the PKI maturity assessment open-source software, applications and tools, which will automate and streamline maturity assessment according to the PKI maturity model and assessment methodology.
The maturity model is based on the Capability Maturity Model Integration (CMMI) developed by Carnegie Mellon University. It should provide the following:
- Quickly understand the current level of capabilities and performance of the PKI
- Support comparison of PKI maturity with similar organizations based on size or industry (anonymized)
- Action plans on how to improve the capabilities of the current PKI
- Improve overall PKI performance
Summary of the planned activities
To achieve the objective and goals of the PKI maturity model, the Working Group will gather feedback from its Members, participants and interested parties regarding the structure of the PKI maturity model leading to development of a robust and recognized model and assessment methodology.
Within the activities carried out by the Members of this Working Group are:
- Regular meetings and discussions on the development of the maturity model and related changes
- Collecting information and feedback from interested parties regarding the maturity model and assessment process
- Contributing to the definition of the overall maturity model, including its categories, maturity levels, and assessment process
- Collaborating on the assessment methodology for maturity model
- Creating awareness about the PKI maturity model, assessment methodology, its adoption and how to use it
- Preparing and publishing the deliverables of this Working Group
Change in activities described in this Working Group Charter must follow the “Decision process” described in this document.
Summary of the deliverables
Based on the objectives and goals, planned activities of this Working Group, the initial deliverables are:
- Documented PKI maturity model
- Documented assessment methodology for the PKI maturity model
- Documented guidelines on how to use the PKI maturity model
- Blog posts and articles to create better awareness about the PKI maturity model, its assessment methodology, adoption, and how to use it
- Assessment tools and applications
All deliverables are licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) or MIT license and hosted within a public repository under the PKIC GitHub organization.
The change in deliverables described in this Working Group Charter must follow the “Decision process” described in this document.
Means of communication
A private mailing list is used for communication between Working Group Members.
Interested parties can contribute using the community discussions on GitHub and Working Group Members will actively participate in those discussions.
Planning and action items are managed as issues within the same repository as where the deliverables are published.
Membership and participation
Organizations that are eligible to join this Working Group follow the membership process as described in the Bylaws of the PKIC, section “Membership”.
In accordance with the IPR policy, Members that choose to participate in this Working Group must declare their participation prior to participating by contacting the Chair of this Working Group.
The Chair of this Working Group must establish a list for declarations of participation and manage it in accordance with the PKIC Bylaws and the IPR policy and agreement.
Non-members can participate using the community discussions.
Decision process
The decision process follows Bylaws of the PKIC, with reference to sections “Voting” and “Working Group”.
All decisions in this Working Group shall be made by substantial consensus (as determined by the Working Group Chair) of all PKIC Members including interested parties. If substantial consensus cannot be reached (or upon the request of any three PKIC Members), the matter will be submitted for decision by the Executive Council.
IPR policy
This Working Group is subject to the Intellectual Property Rights Agreement, Code of Conduct and Bylaws of the PKIC, including the Antitrust Policy.
Antitrust policy
In accordance with the PKIC antitrust policy, as stated by the PKIC Bylaws, an antitrust statement should be applied and read at the start of all Working Group meetings, in substantially the form written in PKIC Bylaws, chapter “Antitrust Policy”.
Other applicable policies
Any relevant PKIC policies defined by the Bylaws must be followed if not specifically excluded by this Working Group Charter.
