A rounding error?
A few days ago, I gave a talk, part of which discussed the data that supports the claim that encryption has historically been both hard and expensive, although newer technologies are definitely changing this. Some of the data that I used to support the claim that encryption has historically been expensive came from a report from the US Government Accountability Office (GAO) on the cost of PKI in the US federal government. One particular data point that I mentioned was how much that the US Department of Agriculture (USDA) had managed to spend per digital certificate.
According to the GAO report, the USDA has spent $6,887,473 for a total of only 147 certificates, for an average of about $46,853.56 per certificate. I rounded this down to only $46,000 in my talk.
Today, I realized that the amount that the rounding error in my estimate was actually fairly large. By rounding down $46,853.56 to only $46,000, I had created a rounding error of $853.56 per certificate, an amount that’s actually much greater than the total cost of certificates, even for government organizations.
The US federal agency that seems to have had the best experience with PKI is the Department of the Treasury. They’ve spent $3,200,454 for 122,450 certificates, for an average of only $26.14 per certificate. When I saw this, I contacted the manager of their PKI program, hoping to get some insight into how they managed to keep their costs so low, but he never replied to my inquiries. Their total costs are much less than the rounding error that I made when talking about the USDA’s costs, but it looks like I’ll never know how they managed to do this.