Root Causes 112: Introducing Sectigo Quantum Labs

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  So today, we are talking about our recent announcement of Sectigo Quantum Labs.

• 

  Jason Soroko

  Yeah, Sectigo Quantum Labs. You and I, Tim, on this podcast and with some guests have talked about the quantum apocalypse and quantum resistant certificates and all that stuff and this Quantum Labs is basically a bringing together of the minds in Sectigo as well as a partnership and some toolkits to enable our customers to be able to evaluate quantum resistant certificates.

• 

  Tim Callan

  Yeah. To understand what they need to do to understand the phenomenon and what's happening in the industry and then actually to take some action to be ready for the changeover when the time comes.

• 

  Jason Soroko

  Right, Tim. So really, I'm thinking about private trust scenarios especially where the private trust use case that you are working on as a vendor has a life span beyond five years, ten years, in which case, cryptographic agility is important to you because of the potential advent of quantum computing. And therefore, it's a good time to start looking now and to develop some competency on this topic so that you're not waiting until the last minute.

• 

  Tim Callan

  Yeah. And there are a couple other good reasons why we are starting with private trusts too and we are kind of getting ahead of ourselves but that's ok. We'll back up. One of the reasons is just because as a PKI ecosystem it's more agile. You own your own systems. You can do what you want with them so you can go ahead, and you can use candidate algorithms in a testing environment, and it may be that that candidate algorithms ultimately don't turn out to be the algorithms we are using but that's ok. It's in a testing environment. When you get into the public world it's much more – things move slower because it's very much a measure twice/cut once kind of scenario. Once you are using an algorithm it's a big deal to stop using it. So, you have to really get it right and get it spread and get it ubiquitous the first time.

• 

  Jason Soroko

  Right Tim. I think that's a very important point and I could imagine a lot of people might have the question why would I want to issue a quantum resistant certificate today when I don't even know what the final algorithms would be and the beauty of it – - and this is something we'll get into - - we'll touch on it in this podcast, we'll probably get into a lot more detail in future ones - - has to do with this idea of cryptographic agility, meaning because of the nature of the certificate profile that we are talking about, it actually affords us to be able to swap out algorithms as we choose. And that's the exciting development here.

• 

  Tim Callan

  Yeah. So, what would I do with this today? The algorithms haven't even been settled. Well, what I would do is I would start wrapping my head around how these things work in the real world. I would get certificates. I would deploy them in my SAN box. I would hook up to them. I would connect and see that connections were occurring successfully, and that data was being encrypted and transferred successfully and I'd get myself comfortable with that. Or if it didn't work, I would know that there were scenarios where it wasn't working, and I would start looking into that.

• 

  Jason Soroko

  That's exactly right, Tim. Including some of the background stuff. A lot of what you've been talking about is the bread-and-butter authentication with the private leave certificates, for example. But, how about actually standing up a PKI infrastructure from the beginning, which is your root CA, your intermediate CA, signing all of those, you know, choosing your quantum resistant algorithms for them and issuing them all the way out to your leave certificates and then testing exactly what you are talking about, which is the result. It's all those things that you want to test and get right.

• 

  Tim Callan

  Yeah. If I were the CSO at a large enterprise that's exactly what I would want to see. I would say I want to see a wall-to-wall implementation. Start with nothing, end up with leave certificates that are working and show me that the whole thing works in my controlled environment.

• 

  Jason Soroko

  And that means things, Tim, such as, hey what do the certificate profiles look like now? What are my bit lengths? There's a whole learning curve everybody is going to must go through and in fact, it's a learning curve per cryptographic algorithm.

• 

  Tim Callan

  Right. What's performance like? What about a constrained environment? What if I have constrained bandwidth? What if I have constrained memory? What if I have constrained compute? Absolutely.

• 

  Jason Soroko

  I couldn’t have said it better, Tim. It's exactly right. What's the latency like for all my functions including things such as authentication. What about mass issuance of certificates? What does that look like? Is there one algorithm that I prefer over the other? Simple as that. Because NIST as we know, they are round three, going into perhaps a round four down the road and they're coming down to a short list, but they already specified there is probably going to be more than one specified at the end for redundancy purposes so test out the ones that are on their short list and see which ones you might prefer.

• 

  Tim Callan

  Yeah, and the short list is now short enough. It's 15 algorithms where you could look at them all. Right?

• 

  Jason Soroko

  That is exactly right, Tim. And so, therefore, it's not out of the scope to at least test out two or three because they seem to be coming down to lattice-based algorithms as well as a couple of other math technologies as well but certainly you can check out what each category feels like.

• 

  Tim Callan

  Yeah, and I think we should do a whole separate podcast on the 15 algorithms and where we are on that but that would be a podcast on its own so let's not do that here. But that's they why for Sectigo Quantum Labs.

  Let's talk about what. What we have. The first thing is, listeners to this podcast will know that for more than a year now, Sectigo has been researching, creating, and distributing information about quantum computing, RSA and ECC, new quantum algorithms, NIST activity, etc. and that has been developing and evolving in real-time and we've been putting out material in real-time. The first part of what we are doing with Quantum Labs is we are just giving that effort a home. So, if you want to know what the latest is – because this is still a moving target. It's still a moving target. It's still not done. If you want to get current and be contemporary on what's going on with the search for quantum safe cryptography, Sectigo Quantum Labs will always have that for you, and it will always be current and it will always be accurate. So that's point number one.

  Point number two is that we have made available the Sectigo Quantum Safe Kit and Jay, what is the Sectigo Quantum Safe Kit?

• 

  Jason Soroko

  It's basically a toolkit that is really intended that you work with Sectigo so that you can create your demo or proof of concept solution so that you can evaluate quantum-resistant PKI infrastructure and quantum-resistant certificates. Is to do exactly what we just said, which is, Tim, you just said that over the past year we've been doing a lot of talking about this. Putting out a lot of materials, doing some educating and I think it's finally time for our customers to get their hands dirty and get their hands dirty hand-in-hand with us as a CA so that when you are looking at future private trust use cases you can start building with us your PKI infrastructure that has that agility to swap out different quantum resistant algorithms and see how it works for you. Basically, as I said, get your hands dirty, build proof of concepts, build your demos and see what building that infrastructure looks like and see how it interacts with your solution.

• 

  Tim Callan

  So, I go to the Quantum Labs page. I navigate through to the test kit download page. I hit the button. My zip file comes down. What's in it?

• 

  Jason Soroko

  Essentially, it's some binaries that enables you to issue hybrid certificates and that's really the most important piece, but I think that surrounding that is also basically there is a canned test system that you can work with as well as get support from Sectigo to be able to actually implement this is in your particular scenario.

• 

  Tim Callan

  Ok. I think that's very well said. So, the quantum kit today in its first form allows TLS certificates specifically but that doesn’t mean that that would have to be the only certificate types that we're offering and I think in the future we are expecting to expand the capability of this kit, right?

• 

  Jason Soroko

  Absolutely, Tim. And I think that's also the importance of having this entity within Sectigo. Basically, this competency group because we know that this is gonna grow through time. This is still at the beginnings, NIST hasn't decided on the algorithms yet. We know that there is also signing capabilities people are looking at in the future. This is going to grow and expand through time, and we just wanted to give it a house to live in.

• 

  Tim Callan

  Yeah. Absolutely and an easy place to get to. So, this is probably a good time to plug the URL. So, the URL is Sectigo Quantum Labs. And first, you can just search on Sectigo Quantum Labs but secondly, if you did sectigo.com/quantum-labs that will get you there. You'll land on the Sectigo Labs top-level page, and you'll be able to get all the material you need from there.

• 

  Jason Soroko

  Yeah. It would be a good place to visit because as you can imagine, we are not going to stop our education. That's a good place where we are gonna put all of it and as we continue to monitor what's going on in the world on this very important topic that's going to be a great place for you to go to learn.

• 

  Tim Callan

  Yeah. And lastly, I think we should shout out to our partner who helped us make this possible. So, we also announced simultaneous with the announcement of Sectigo Quantum Labs we announced our partnership with ISARA.

• 

  Jason Soroko

  Yeah. ISARA, an organization out of Waterloo, Ontario, Canada. Really smart bunch of people who really understand this down to the core and they've got basically the guts of the binaries that you will be working with were developed by people who are the absolute best in class. And, you know, I've worked with them now, been able to ingratiate myself with their team and they really are the best of breed people on this topic.

• 

  Tim Callan

  Yeah. I've also had a chance to work with them. Not as much as you but certainly an impressive bunch and they very much know their stuff. So that's it. This of course, as I mentioned, is an ongoing topic and is going to continue to be an ongoing topic so it's not the last time you are gonna hear about quantum-safe certificates and quantum-safe cryptography, but the good news is – now there's a place that you can always go and know that you are current and that place is Sectigo Quantum Labs which again is, sectigo.com/quantum-labs.

• 

  Jason Soroko

  That feels really good to have an address now for people to go.

• 

  Tim Callan

  I know. Ain't it nice.

• 

  Jason Soroko

  Yeah. So therefore, to all you vendors out there who have long-term plans and by long-term, I mean anything more than a few years. Unless your device is disposable, this is a topic that is probably of interest to you. It probably would not be a bad idea to start playing with this and getting your hands dirty with us. We are here for you.

• 

  Tim Callan

  Love it. So, thank you very much, Jay.

• 

  Jason Soroko

  Thank you, Tim.

• 

  Tim Callan

  Thank you listeners. This has been Root Causes.