Swiss Federal Audit Office SFAO

The requirements for the PKI were primarily created by laws and resolutions passed by the Federal Council. This indicates that the PKI was not developed based on arbitrary or subjective criteria, but rather on objective legal requirements and guidelines set by the government. Thus, the PKI was developed with a strong focus on compliance and adherence to legal standards.

The Public Key Infrastructure has achieved a high level of security - it meets the high security requirements set by ZertES and various European standards, but monitoring and logging need improvement. The PKI may not be able to detect and respond to security incidents as quickly and effectively as it could with better monitoring and logging capabilities.

The audit was not able to determine the exact costs of the Public Key Infrastructure because full cost accounting was not performed. This suggests that there may be some uncertainty or lack of transparency in the cost structure of the PKI.

The Public Key Infrastructure provides high trustworthiness at manageable costs. However, the change, release, and life-cycle management must be improved. PKI should be integrated into the Release Conference of the BIT to better coordinate planned changes and updates. Necessary hardware, software, and other components are renewed in a timely manner. Certain issues related to encryption that need to be addressed, such as the management of encryption keys and the regulations regarding their storage and archiving. Additionally, the report suggests that in practice, too many documents are unnecessarily or falsely classified and encrypted.

Switching from the current self-developed SG PKI to a commercial product would likely have a long amortization time , and the risks associated with external procurement would need to be carefully evaluated.