Back to all videos

One App at a Time: DigiCert's Practical Playbook for the Post-Quantum Transition

By F5 DevCentral Community

Public Key InfrastructurePost-Quantum CryptographyCertificate Authorities
Share:

Key Concepts

  • Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to be secure against the processing power of future quantum computers.
  • Crypto Agility: The ability of an organization to rapidly switch between cryptographic algorithms or certificate authorities (CAs) without significant infrastructure disruption.
  • CA/Browser Forum: The governing body that sets the standards for publicly trusted certificates and root stores.
  • Merkle Tree Certificates (MTC): A technology used to optimize TLS handshakes and reduce the data overhead associated with larger PQC signature sizes.
  • Harvest Now, Decrypt Later: A threat model where adversaries capture encrypted data today to decrypt it once quantum computing technology matures.
  • PKI (Public Key Infrastructure): The framework of roles, policies, hardware, and software needed to create, manage, distribute, and revoke digital certificates.

1. The Current Landscape of PQC and PKI

The transition to PQC is currently in a state of flux. While the CA/Browser Forum has not yet formally adopted PQC standards for public roots, the threat of "harvest now, decrypt later" necessitates immediate action.

  • The "PQC Awareness Curve": Enterprises often cycle through five emotional stages regarding PQC: Denial, Bargaining, Anger (due to previous migrations like SHA-1 to SHA-2), Depression, and finally, Panic.
  • Timeline: Industry experts are looking toward a 2030 horizon for major shifts, but the urgency is compounded by new requirements for shorter certificate validity periods (e.g., 47-day certificates).

2. Strategies for Enterprise Transition

Asaf Carell emphasizes that waiting for the CA/Browser Forum to mandate changes is a risky strategy. Instead, organizations should focus on:

  • Inventory and Baseline: Establishing a clear view of all certificates within the network.
  • The "One App" Methodology: Rather than attempting a massive, organization-wide overhaul, companies should select a single application—either a non-critical lab app or a "crown jewel"—to test PQC implementations.
  • Private CAs: Utilizing private CAs (such as those available via DigiCert PQC Labs) allows organizations to experiment with PQC and Merkle Tree certificates in a controlled environment without waiting for public standards.

3. Automation as the Foundation

Automation is presented as the "silver bullet" for the upcoming cryptographic transitions.

  • Process over Product: Once an automated renewal and replacement process is established, the specific type of certificate (PQC vs. traditional) or the CA provider becomes secondary.
  • Tools: Automation can range from simple ACME (Automated Certificate Management Environment) implementations to more complex SCAP (Security Content Automation Protocol) workflows.
  • Goal: The objective is to reach a state where replacing a CA or a certificate type is a "click of a button" operation, taking only a few hours.

4. Global Cryptographic Sovereignty

There is a growing trend of "digital sovereignty," where nations (e.g., Germany’s BSI, China, South Korea) are developing their own cryptographic primitives that may differ from NIST standards.

  • The X9 Route: DigiCert has established the X9 root as an alternative for financial institutions that require specific standards not currently supported by the public CA/Browser Forum.
  • Compliance Conundrums: Organizations face challenges with standards like FedRAMP or FIPS, which may currently prohibit PQC libraries. Asaf notes that it is better to prepare for the inevitable inclusion of PQC in these standards rather than removing and re-adding libraries, which creates significant technical debt.

5. Merkle Tree Certificates (MTC)

Google has introduced MTCs to address the "bulk" of TLS handshakes.

  • Technical Benefit: PQC signatures are significantly larger than traditional RSA or ECC signatures. MTCs help bypass the bandwidth and latency issues caused by these larger payloads by moving handshake requirements offline.
  • Application: DigiCert has already integrated MTC support into their private CAs, allowing for immediate testing in Kubernetes and node-to-node communication environments.

Notable Quotes

  • "You don't want to be stuck. If you look at SSL Labs, there are still sites out there using SHA-1. That's going to be the same case in five years [with PQC]." — Asaf Carell
  • "We don't want to slow down quantum computers because we're scared to migrate. Get excited." — Asaf Carell

Synthesis

The transition to post-quantum cryptography is not merely a technical upgrade but a fundamental shift in how organizations manage trust. The primary takeaway is that automation and crypto agility are the most critical investments an enterprise can make today. By leveraging private CAs for testing, adopting automation tools, and focusing on a modular approach to certificate management, organizations can insulate themselves from the volatility of future regulatory changes and the looming threat of quantum-enabled decryption.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "One App at a Time: DigiCert's Practical Playbook for the Post-Quantum Transition". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video