One of the essential building blocks of digital trust is standards, or how to define trust for a given technology or industry. Standards groups like the CA/Browser (CA/B) Forum and other industry forums and consortia drive industry and certificate requirements, helping to define trust and ensure confidence in our digital interactions.
As standards are a key part of digital trust, we’re looking back on the past year and looking forward to next year to understand what’s going on in standards. DigiCert also provides a regular recap of each CA/B forum meeting and provides updates on standards as relevant on the DigiCert blog.
This year marked a return to face to face meetings in the CA/B Forum and IETF, and a variety of milestones for the standards world, including for email, smart home and code signing.
In an industry-first, standards for email signing have arrived. The S/MIME Baseline Requirements (BRs) were passed this year, marking the first standards for email signing and encryption certificates to soon be enforced. The S/MIME BRs have been in progress for the last four years, and DigiCert has aided in the efforts with our own Stephen Davidson as the S/MIME working group chair. We are proud that the industry has agreed to move forward with this milestone.
The new S/MIME BRs provide auditable requirements to make sure that S/MIME certificates follow appropriate minimum validation standards and comply with an interoperable profile. Three different levels (legacy, multi-purpose and strict) are defined to allow existing practices to continue as companies work to transition to newer, higher-quality S/MIME certificates.
The requirements will be effective starting September 2023 but will come into force once one or more email clients decide to mandate compliance. Various root programs have indicated a desire to mandate compliance with the S/MIME BRs, but no formal announcements have been made yet. We anticipate seeing formal announcements in 2023.
VMC adoption continued to grow this year, with new Email Service Providers (ESPs) like Apple using it and additional trademark options approved for VMC, moving closer to a world where customers can see your logo in every email sent. Gmail now accepts trademarks from additional countries including France, Netherlands, Switzerland, Denmark, Sweden and New Zealand, with even more countries coming next year. We predict that VMC adoption will continue to grow in 2023. Learn more about BIMI and VMC here.
In another industry first, the Connectivity Standards Alliance (Alliance) released Matter 1.0 on Oct. 4 and DigiCert’s Root Certificate Authority (CA) became the first Matter-approved root CA by the CSA for Matter device attestation, allowing for rapid time to market for smart home manufacturers and automatic security for customers.
Matter has been a multi-year project bringing together all the biggest names in smart home manufacturing, including Apple, Google, Samsung and more to create a reliable, secure way for devices by different manufacturers to interoperate. DigiCert has been highly involved in Matter and can help manufacturers achieve compliance with device attestation.
At DigiCert, we are excited for what Matter means for IoT interoperability and even more excited that the Matter protocol has security included into the design. In the future, we predict the Matter logo will become a recognized symbol and standard, similar to Bluetooth, that consumers shop for. Additionally, we predict that Matter could be applied to other areas beyond the smart home, including smart city, connected health and more.
The CA/B Forum also announced this year changes in the token requirements for OV code signing certificates. The majority of code signing certificate users still rely on physical tokens to protect their code signing keys. This often leads to the keys being mishandled and/or stolen. Tokens also negatively impact the ability to improve agility and key protection in the code signing ecosystem.
However, we also note that it puts a burden on our customers to remain compliant when requirements change. That is why we support our customers with DigiCert® Secure Software Manager, which can support full automation of code signing and help customers ensure compliance. We’ve also been working with the CA/B Forum working group and have provided consulting on the standards for signing services.
In European standards, there’s a continuing effort to figure out how to create better Qualified Web Authentication Certificates. Previous ideas about separating out identity into a different certificate have been put on hold for now, and the focus is now on figuring out how European profiles and trust lists can be made interoperable with CA/B Forum profiles and browser trust lists. But that effort is only part of a broader effort by the Europeans to incorporate digital trust into every aspect of their electronic infrastructure. As we close out some of the other large standards efforts we’ve been involved with in 2022, we expect 2023 to be an extremely active year for European standards.
This year NIST selected the first quantum-resistant cryptographic algorithms, meaning now is the time to prepare your organization’s crypto-agility and start testing new cryptographic algorithms. However, one of the final candidate algorithms that was not selected, Supersingular Isogeny Key Encapsulation (SIKE), was cracked within an hour on a traditional PC. This is an important reminder of why crypto-agility is critical, so that algorithms can be changed out easily if vulnerabilities are discovered, whether in classical or PQC algorithms.
As standards for PQC are developed, we predict an increased focus on the need to be crypto-agile as quantum computers pose a significant future threat for secure online interactions. This is especially important for signing key security as software libraries that are being signed today will be still in use when cryptographically relevant quantum computers arrive, so improvements to signing solutions need to start being put into place now.
In 2022 the United States moved to create a new standard for security labels for IoT devices, planned to launch Spring 2023. This security “nutrition label” will help consumers easily access information about their smart devices, such as vulnerability and interoperability with other products. The push comes after the 2021 Executive Order on Improving the Nations Cybersecurity and numerous private and public organizations met this past October to develop the IoT security labelling scheme. The plan is to launch these labels as soon as Spring 2023 for voluntary labeling, but eventually we predict that these labels will become mandatory. Learn more on the DigiCert blog.
In 2023, we will see increasing adoption of the S/MIME standards, Matter will become a commonly known name, code signing changes will be enforced, and crypto-agility will become the industry standard to deal with both current and future threats.
For more security predictions in the new year, check out our post where we polled over half a dozen industry experts on what to expect from security in 2023.