The CA/Browser Forum met March 2–4 for its spring virtual meeting. For an overview of what the Forum does and how it works, see DigiCert’s Introduction to the CA/B Forum. For the most part, it was a relatively quiet meeting, as the spring meeting often is after the holidays.
During the meeting, the Forum had its usual working group meetings, some of which are highlighted below. Browser representatives also gave updates on their policies, and those are highlighted below as well. Additionally, Dr. Natalia Stakhanova of the University of Saskatchewan presented her research on source attribution of RSA keys. Lastly, Dustin Moody from NIST gave a presentation on post-quantum cryptography and how quantum computers will impact certificates.
Progress continues to be made on the S/MIME Baseline Requirements. For more information about why this is needed, see our recent blog on standards for email certificates. At the meeting, DigiCert announced a very early rough draft for members to start contemplating and working on, as well as a strategy for getting it adopted.
Also, the code signing working group is in the process of making a number of improvements to how code signing keys are protected. This will help protect everyone by reducing the risk that stolen code signing certificates can be used to sign malicious code. Users of code signing certificates should pay careful attention to improvements in this area as they are finalized and announced, as they may impact development processes at many organizations.
During the browser updates, Apple, recognizing the importance of accurate and timely certificate revocation information, announced its intention to work more closely with certificate authorities on this topic. This was a very welcome announcement and DigiCert intends to participate.
Google announced that it is working to provide more consistency across all platforms in how Chrome handles certificates. Currently, Chrome often relies on the behavior of the underlying operating system store, which provides an inconsistent experience when using Chrome on different operating systems. Google also encouraged CAs to move towards certificate hierarchies where publicly-trusted TLS certificates are not mixed together with other kinds of certificates.
Dustin Moody from NIST gave an excellent presentation on the threat quantum computers pose to traditional asymmetric encryption algorithms like RSA and ECC and NIST's efforts to standardize new post-quantum algorithms, which are intended to be able to withstand attacks by quantum computers.
Moody’s guidance matched DigiCert's own, highlighting the length of time cryptographic transitions can take. With recent advances in quantum, we predict it could be here within five to ten years, while cryptographic transitions could easily take a decade to complete. The message is clear: the time to start preparing for the transition to quantum-safe algorithms is now.
Digicert is innovating solutions to help organizations prepare for PQC, like the PQC Maturity Model and toolkit. The Post-Quantum Cryptography Maturity Model is not only a guide for understanding the PQC threat, but also a tool for identifying your current level of preparation, and how you can get ahead of the challenges coming with this computing revolution. By following the model, you’ll be able to advance your organization down a pathway to post-quantum security. The DigiCert PQC toolkit has what you need to create a hybrid TLS certificate and test post-quantum hybrid certificates. To learn more, visit digicert.com.
DigiCert will continue to provide updates on industry standards and the activities of the CA/B Forum. Stay tuned for an update after the next CA/B Forum meeting, scheduled for June, by following DigiCert’s blog and social.