Thoughts on the relationship between PKI maturity and Crypto Agility

[woefulhc]

My thought on this is that while PKI maturity is very helpful for achieving Crypto Agility, the first does NOT imply the second. I do not believe it to be a requirement either. If we were talking about chemical reactions, I would say that PKI maturity is like an efficient catalyst. It makes achieving the product easier. However, as someone that works for an organization with a mature PKI, I can assure you that knowing what has been issued is NOT the same as knowing where things are deployed. It is also not the same as having an accurate inventory. What keys/certificates/libraries/algorithms are deployed and in use from vendors and partners? A moderately mature PKI does not necessarily give any visibility to that. Your CA may not have any record of self signed certificate that exist in the environment.

I would say that having an accurate, repeatable inventory of what is deployed and where is 100% a prerequisite to achieving Crypto Agility. A mature PKI can help with that but does NOT by itself satisfy the need for the inventory.

I am interested in the viewpoints and thoughts of others on this.