News 08-10-2023

DigiCert Champions PQC, Automation and Supply Chain Security at IETF

IETF News – July 2023
Timothy Hollebeek
DigiCert Champions PQC, Automation and Supply Chain Security at IETF

The Internet Engineering Task Force (IETF) is the organization that sets the standards for the internet, including well known standards like TLS and S/MIME. IETF meets three times a year with participants from all over the world. DigiCert is an active participant in IETF, helping to define trust on the internet, and thus we are pleased to provide a summary of the updates from the most recent meeting in San Francisco in late July.

What is IETF?

The IETF is a large, open international community of network designers, operators, vendors and researchers who work together to develop and promote internet standards. The IETF's main goal is to ensure the smooth operation and evolution of the internet by creating and maintaining technical documents, known as Request for Comments (RFCs), that define how different aspects of the internet should function. These RFCs cover protocols like HTTP (Hypertext Transfer Protocol), TCP/IP (Transmission Control Protocol/Internet Protocol), SMTP (Simple Mail Transfer Protocol), and many others that form the foundation of the modern internet. Over 9,000 RFCs have already been written. Through IETF, engineers also can also test out their implementations with each other to make sure they interoperate.

The IETF operates through a series of working groups, each focused on a specific area of internet technology. These groups discuss, design and develop new standards or improvements to existing ones. The IETF operates in an open, collaborative manner, and its participants include technical experts, researchers, developers and interested individuals.

What is DigiCert’s role in the IETF?

DigiCert takes a leading role in IETF, chairing and actively participating in many of the working groups and working closely with other certificate authorities in attendance. Many of the hot topics and working groups in the security area are fundamental to digital trust, and thus we are taking an active approach to collaborating with other industry leaders on the standards. DigiCert participates in discussions, feedback and implementations related to various security protocols and standards at the IETF, such as transport layer security (TLS), public key infrastructure (PKI), certificate transparency (CT) and automated certificate management environment (ACME).

What were the highlights from the last IETF meeting?

Post-quantum transition — The post-quantum transition continues to be a hot topic at IETF, with a particular focus on how digital signatures might work in the future. At DigiCert, our experts are helping to write the PQC For Engineers draft that will help the industry get up to speed on this technology, and we chair the LAMPS working group where the new National Institute of Standards and Technology (NIST) algorithms are being incorporated into the existing signing, certificate and key management standards.  

The exact arrival time of quantum computers remains uncertain, but their inevitability is undisputed. Along with other certificate authorities, DigiCert is working to determine how certificates will work in a post-quantum world. We are also coordinating closely with NIST to integrate their selected post-quantum algorithms into IETF protocols and digital certificates. We also highly encourage organizations to start discussing a post-quantum cryptography transition strategy now, and have shared tips for the transition in previous blogs.

Automation — Automation continues to be a fundamental topic discussed in the standards world, as it allows security to be implemented efficiently and reliably at scale. We support efforts to extend ACME to better support getting certificates from multiple suppliers (draft-vanbrouwershaven-acme-auto-discovery).

Software supply chain transparency — Software supply chain transparency efforts are gaining steam, moving towards a world where organizations have much more information about where their software comes from. This work is happening in the IETF SCITT working group and uses digital ledgers to provide evidence about software provenance.

The next IETF meeting will take place in Prague in November, and we will provide another update then. Subscribe to the DigiCert blog to get the latest on what’s going on in digital trust standards, including the CA/B Forum, IETF and other critical groups.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Subscribe to the Blog