How much does PKI really cost?

PKI is legendary for being very expensive and hard to use. Usability is hard to quantify, but the claim that it's expensive is fairly easy to justify. If you look at the US Government Accountability Office's report "Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies" (PDF), you'll see some truly impressive estimates for the cost per certificate that some government agencies have experienced. The USDA had spent $46,853.56 per certificate when the original report was written, for example.

The GAO actually seems to do a good job of being an impartial auditor for the US government, so their estimates for the cost of the government's use of PKI so far (over $1 billion) is probably the best that they could do, but its accuracy depends on the data that the federal departments and agencies provided to the GAO. I started to wonder about exactly how accurate that data was when I read an article in the Wall Street Journal about the costs of the space shuttle program.

According to this article, the government doesn't actually know how much the space shuttle program cost. Estimates range from roughly $115 billion to $230 billion. For 135 launches, that comes to somewhere between $850 million and $1.7 billion per launch. That's a lot for a program that was supposed to cost more like $7 million per launch, even accounting for inflation. 

So if government agencies can't actually get an accurate estimate of how much they spent on the space shuttle, how accurate do you suppose those PKI cost estimates really are?

Leave a Reply

Your email address will not be published. Required fields are marked *