Root Causes 452: 2024 Predictions Scorecard
We go over our predictions for 2024 and score our ability as prognosticators.
- Original Broadcast Date: December 30, 2024
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
It's the end of the year, and as we always do, we do a set of predictions for the new year, and then we also have decided to rate our predictions for the previous year. We did a set of predictions in 2024. I have them written down here. You may also. And why don't we just go down and slam them out see how we did.
First one off, shortened certificate lifespans we predicted - - I think I was pretty bold in predicting that there would be a clarified timeline, and that would be clarified by the summer, and it would be a hard requirement by 2025. So I definitely failed that one.
-
Jason Soroko
I think there were some reasons for it. But we're not far off. I think that's the defense of it.
-
Tim Callan
First of all, I get to make the same prediction again, so I don't have to think of new predictions. That's nice. It makes it easier for me. Second one is, there was definite progress. It was just slower progress than I was expecting. We're gonna get there. We didn't get there in 2024, but I do think 2025 is the year for that.
-
Jason Soroko
We're not going past 2025 without something. So there you go.
-
Tim Callan
All right. Second one. This one was absolutely correct. MPIC. All right. Second one. This one was absolutely correct. MPIC. Because at the time it was called MPDV - We'll give ourselves a break on that one - would be a real thing. Spot on. It is a 2025 requirement. All the rules were codified and set in 2024. That turned out to be exactly true.
-
Jason Soroko
I would like to remind people it wasn't a slam dunk when we predicted it.
-
Tim Callan
Absolutely. It was very debated and fuzzy and unclear when we made that prediction, but what was clear was that the BGP threat was real. There were potential paths forward, and something had to be done. That part was clear, which is why we were aggressive in making that prediction.
-
Jason Soroko
Some of our predictions, by the way, are things that we don't want to happen, but we think will happen. This was one where we hoped it would happen, and it did. That's great.
-
Tim Callan
Real happy about that one. I agree.
Next prediction was that it was going to be the year of EIDAS 2.0.
-
Jason Soroko
I have the dates written down, Tim. So, May 20, 2024, it was actually the last Toronto sessions were recorded right around then. So it happened. In other words, it came into a force. It actually became law in May of 2024. So there you go. The prediction checkmark. Also, November 21, 2024 is when the reference for the e-wallet was published. So therefore, I mean, you can't get much more than that for EIDAS 2.0.
-
Tim Callan
It’s big. It’s all over the news. Lots of people are working on it. It's a really big topic in Europe.
-
Jason Soroko
Another checkmark. Optional OCSP. It happened. So OCSP is now optional. And in fact, Let's Encrypt has announced that it will be phasing out OCSP. Let's Encrypt also has announced that in 2025 it will be offering a six-day cert which by definition, will not require any revocation checking at all. And I believe, I expect, that there will be no revocation checking, no OCSP, no CRL associated with that certificate from Let’s Encrypt when it comes. And so when you look at those two things in conjunction, the optional OCSP thing really is here. Of course, is that OCSP is problematic in a number of ways, falling out of favor. We still think that in a long time it's going to kind of gradually fade away.
-
Jason Soroko
For those of you interested, I don't have the number of the podcast, but we did do a podcast on OCSP’s privacy problem.
-
Tim Callan
Yes, that's the one to go listen to. You'll learn about the privacy problem with OCSP. There's also, ultimately, a reliability problem with OCSP. It just doesn't always protect you.
-
Jason Soroko
Revocation is hard.
-
Tim Callan
Right. So that one.
We said that 2024 would be the year that enterprises woke up to PQC. I would say absolutely.
-
Jason Soroko
100%. Even for people who were fully on the PQC is a boogeyman, don't talk to me about it, PQC is just a way for the identity industry to throw fud my way to make me scared. I think all those people now, I mean, the Willow chip was just dropped on us by Google. Tim, 2030 is going to be real. NIST, not the least of which of NIST, has published a pre-document, pre-draft, saying they didn't wait for the apocalypse to occur. The deprecation of our current cryptographic algorithms is on paper.
-
Tim Callan
So if you'll see our 2025 predictions episode, which I'll encourage. Finish this episode. Finish this episode, please. But then if you go to our ‘25 predictions episode, one of the things you'll see we're predicting, there is we're predicting continued progress in this - - I won't repeat that. You can see it from that episode, but we talk more about what ‘25 holds in this regard. CLM and certificate automation on the ascent.
-
Jason Soroko
Tim, during your predictions for 2025 you had said that the CLM in the past and automation were a thin slice of the population, and now it's completely gone to the inverse, which is now like people are at least thinking - - The majority of people are at least thinking about automating, and they have to because of shortened certificate lifespans, they have to because of PQC and other things - outages risk - that the people are waking up to. And it's very true. I think that Certificate Lifecycle Management and automation are on the top of people's minds.
-
Tim Callan
Absolutely. Very much so. I agree. I don’t know how to put a number on it, but it's just much better understood. That year made such a difference in terms of people just knowing about the category, knowing the word, knowing about the need in a way that they hadn't before.
The continued deterioration of the password and MFA.
-
Jason Soroko
Holy smokes did we ever see a lot of that. I have a few notes on that Tim, which are, one of the big things in 2024 in terms of a lookback. Snowflake did not have mandatory MFA. Google had to do the same. They followed suit as a major public cloud infrastructure provider. But we also had things such as in the MFA world AuthQuake. Major attacks against MFA. And on the bright side, we had a podcast not that long ago about, hey, the passkeys are slow uptake. Well, the good news is, Microsoft, in its slow rollout of passkeys, is doing it I think, in a very smart way. Xbox, Office365, Copilot. A number of their products now are use passkeys, which is just great, because I think people will start to get more used to get more used to it. In other words, I think the uptake was slow. You and I reported on that, but I think that this is the silver lining to the deterioration of passwords. There is some uptake of better technology.
-
Tim Callan
I agree. I am seeing more. I remember us talking about that because we're like, well, I don't think I saw one once. I am seeing more passkeys now than I was then. It is showing up more in the ecosystem. It was longer than I was predicting it would take. Then, of course, government versus the internet.
-
Jason Soroko
Oh my God, this is one where I didn't want to be right. Tim didn't want to be right, but I think this wasn't just Tim and I being cynical. This was just reading the room and realizing, wow, governments are really up to some funky stuff. Not the least of which is EIDAS 2.0.
-
Tim Callan
EIDAS 2.0 in many ways is great. And I've said this multiple times, and I'm going to stand by what I said. In many ways, it's great. In many ways, I'm a huge fan, but it has built into this, this fundamental government backdoor. First of all, there is a definite worry about competency. Then connected to that, though, is there is a very serious worry about governments choosing to do the right thing. In fact, I'll go a step further. I would be flabbergasted beyond belief, if we saw governments genuinely choose to do the right thing.
-
Jason Soroko
Stay tuned for an episode we are about to record on Crypto wars 3.0. Watch for that one.
-
Tim Callan
And so government versus the Internet didn't let up. Isn't letting up. Once again, check our 2025 predictions. You'll see it there too, because, unfortunately, this is our world.