Podcast
Root Causes 351: 2024 Predictions
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
December 27, 2023
We look forward to 2024 and predict trends for PKI, certificates, and digital identity. We discuss shortening certificate lifespans, Multi-perspective Domain Validation (MPDV), eIDAS 2.0, OCSP, post-quantum cryptography (PQC), Certificate Lifecycle Management (CLM), passwords, root stores, and government versus encryption.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo, it’s the end of the year, and as we do, we are making predictions for 2024. This is our 2024 PKI certificates/digital identity predictions episode. So, here we go. Let’s see how we do. Hopefully we are right. We got a list of predictions. You want to look at the first one?
Jason SorokoI’m looking into the crystal ball, Tim. And I am seeing that shortened certificate lifespans are not only going to potentially happen but I think what’s more important is that the information, the details, the timeline around them will be clarified.Tim CallanYeah. I think that this year in 2024 and not even like at the end of the year, I think by the summer we are going to know very clearly what is happening with maximum term 90-day SSL certificates. We are gonna know the how and we are going to know more importantly the when and I think that is coming and then based on that, everybody will be able to build their roadmap for how to deal with this. Now, I do not believe that that will be a requirement in 2024 but I do think it will be a requirement in 2025. And I think 2024 is going to be the year for organizations, for IT departments to figure out their action plan for how to deal with 90-day SSL certificates.Jason SorokoTim, I’m gonna ask a bold question. And you don’t have to give the answer but I’m gonna ask it. Do you think that there is going to be a date in 2024 - not just that there is going to be clarification on details and timeline – but do you think that there will be a date in 2024 where there will be the last day that you could buy a one-year certificate?Tim CallanI think that date will occur in 2025.Jason SorokoThere you go.Tim CallanI am predicting that that date will occur in 2025. And furthermore, go out on a limb, I think it will be the first half of 2025, which will be the last day that you can buy a one-year certificate. That is my prediction. I’m throwing that out there.Jason SorokoSo, with that being said though, Tim, I think that means you’ve gotta be preparing for 90-day certificates next year. 2024 absolutely.Tim CallanYeah. If it’s gonna take you a year to get geared up and ready, then 2024 is gonna be your year of getting ready because 2025 is gonna be when it actually comes in as a requirement. That is what I think is gonna happen. We will see if I’m right or wrong on that.Jason SorokoThere’s the prediction.Tim CallanBut I’m throwing that out.Jason SorokoMulti-perspective domain validation.Tim CallanMulti-perspective domain validation. MPDV is going to become a real thing. So MPDV is the future. It’s going to happen. BGP attacks are just – they’re real. Right?Jason SorokoYep.Tim CallanIt’s a real vulnerability and the way you counter that is MPDV. I don’t think there’s really any question that that is something that’s gonna be required for all public TLS certificates and I’m predicting that 2024 is the year where all of that gets 100% clarified. Again, the how and the when. I’m not saying that MPDV will be required before the end of next year, but it could. But I think that’s unlikely but I think MPDV absolutely will be required in 2025. And 2024, once again, is gonna be the year where it comes in and rules get set around it and we have to go, you know, then the infrastructure, the industry, people like public CAs go figure out how to implement it and operate in volume using MPDV.Jason SorokoYou know, it’s interesting, Tim. I think that for most of you out there who are consumers of publicly trusted certificates, I’m hoping that the clarification will not affect any of you. I’m hoping that this affects the CAs entirely and that there would be no effect on how you purchase, consume, acquire, use your publicly trusted certificate.Tim CallanThat’s the vision. That’s the vision. That it’s the CAs work to do. Not the certificate subscriber’s work to do and that’s certainly what we want to go for. And by the way, the first four of these predictions are all in the world of public certificates. So, I batched those together. Prediction number three here is that eIDAS 2.0 is going to really matter. eIDAS 2.0 is going to set the stage for widespread use of digital certificates by citizens in a way that eIDAS 1.0 never really did.
Jason SorokoYeah. I would say that eIDAS 2.0 with its distributed identity wallets, in Europe especially, I think that people will start to see those use cases underlying that being used and people are just gonna get used to being able to use a digital wallet to attest to themselves and do various kinds of business and apply for things and vote for things. It’s gonna be the new way to do things. And whether it’s eIDAS 2.0 in Europe or some other identity wallet in North America, I just think that you’re gonna see more use of it 2024.Tim CallanAbsolutely. And I think eIDAS 2.0 in particular is gonna be a big driver for that. And, yes, your point – as people become aware of it and how it’s potentially beneficial, eIDAS 2.0 could actually give rocket fuel to other identity wallet schemes. Right? Because it raises awareness and helps people understand why it’s beneficial. But even if some other scheme winds up growing in popularity, that still could owe itself back and I think willow itself in part back to what eIDAS 2.0 does in terms of raising the stakes in this regard. Alright. Last one for public certificates is I think there’s a very real chance that 2024, that by the end of 2024, we do have optional OCSP. So, we talked in our lookback episode about how OCSP is on life support, and I think 2024 could very well be the year by the end of the year where for a public CA OCSP is purely optional.
Jason SorokoYeah. I agree with you, Tim. If it’s not declared as such completely in 2024, at least we’re gonna have the timeline set. In other words, a big year for clarifications. That’s for sure. But in this case, yeah. I bet you we are gonna hear a lot more about that so stay tuned.Tim CallanOh yeah. I mean for sure we’re gonna know, again, what the timing is and if it doesn’t happen by the end of 2024, I feel very confident that optional OCSP will occur in the first half of 2025. But I think there’s a very real chance a non-trivial chance that before the calendar year is out, OCSP is optional.Jason SorokoYep. I agree.Tim CallanAlright. Now, getting out of the world of public certificates. We’ve got some other predictions. The first one – and this probably isn’t controversial – is that enterprises wake up to post quantum cryptography. So, if 2023 was the year of industry waking up to post quantum cryptography, which it really was and we talked about that in our lookback episode. 2023 was the year where vendors and people started to say, oh geez, I need to do something about this. 2024 is going to be the year where just your average department becomes aware of the fact that PQC is coming, that they are going to need to implement it, why they are going to need to implement it and they are going to start to educate themselves and understand that it’s coming and what they need to do about it. I think that is what we see in 2024. Alright?
The next one is related to this. CLM on the ascent. So, 2023 was a CLM on the ascent year, I think. I think you agree with me, right, Jay?
Jason SorokoGeez. It sure was, Tim. Because even what we were talking about previously, enterprises wake up to PQC. You know, this requires you to have - - you can’t manage what you don’t know you have in terms of a certificate. You gotta do discovery. You have to have visibility and you have to be automating and well, guess what? Those are like pillars of certificate lifecycle management, Tim.Tim CallanYeah. So, certificate automation, CLM, in particular, being like a platform, an application that is there to do this I think is very much on the ascent. If you want to broaden it a little like you just did and say certificate automation in general was on the ascent in 2023, even if it’s just the use of ACME, you’re absolutely right. And I predict that we are gonna see both of those trends. The automation trend in general and the CLM trend in particular picking up big time in 2024 for many reasons we’ve talked about – awareness growing, the need to deal with shortened certificate lifespans, the need to deal with PQC and just general - - in fact, the stakes are so high, it’s such a lousy way to spend your time managing certificates and there is a better way. And so, all of those things are gonna come together and we are gonna continue to see more awareness, more interest, more adoption of automation in general and CLM packages in particular through 2024. Alright. Now the last two, these are perpetual. These have been true every year you and I have been doing this podcast. We’ve been doing it for four years. I think these will be true for the next four years.
The first one is the continued deterioration of the password. So, passwords are just really weak, really bad, really horrible. We’ve talked about this more times than I can think of in our 340-ish episodes, and we’ll talk about it many times to come and there’s more and more recognition of the fact that passwords are terrible. 2023 was a pretty big year in terms of the breakdown of the password and I think 2024 we are going to see that continue.
Jason SorokoIt’s gonna continue and I’ll go as far, Tim, as to say that I bet you there’s at least one or two good podcasts in 2024 where were get to talk about truly catastrophic breaches. Truly catastrophic. And I mean bad for consumers, bad for enterprises, bad for everyone, scenarios where a simple password and also MFA was breached and leading to something truly heinous, terrible. I bet you 2024 will be just another year where it just gets worse and worse.Tim CallanI agree. Sadly. Right? I think MFA under attack is just continuing for sure. We saw a very clever AI-assisted audio password attack that came out in 2023. I can see that sort of scheme becoming more usable. Right? Not being a science project but being in an actual potential vector. So, continued deterioration of passwords and MFAs. Now let me ask you this question, which is when are we gonna be able to announce the death of the password?
Jason SorokoOh my goodness. That’s a good question. That’s not happening next year.Tim CallanNo. I agree. Definitely not happening next year.Jason SorokoWhen? You know what, let’s do over/under. Before I retire or after? That’s the better one.Tim CallanThat’s the trouble.Jason SorokoI think after.Tim CallanI think you’re right. I think when are we announcing the death of the password? Not in the next ten years.Jason SorokoNo.Tim CallanYeah. Which is too bad because it is such a weakness.Jason SorokoIt is.Tim CallanAlright. And then the last one, again, perpetual. We’ve been talking about it for four years while we’ve been doing this podcast. I’m sure we’ll talk about it the next four, which is government vs. the internet.Jason SorokoGovernment vs. cryptography.Tim CallanGovernment vs. crypto.Jason SorokoGovernment vs. its own citizens, etc., etc., etc.,Tim CallanYep. Absolutely. Governments are gonna keep trying to hamstring and control the internet. Governments are gonna continue to dislike fundamentally the idea that technology is not something that they can control and they are gonna do what bureaucrats do and they are gonna do what leaders in governments do and they are gonna do what law enforcement people do and they are going to do try to shackle it and it's going to continue not to work because this is these people fundamentally not getting their relationship with technology. Just not understanding. And not understanding that technology is bigger than them, it’s out of their grasp and ultimately it’s more powerful than that. And we’ve seen this for four years. We’ve seen this. We’re going to keep seeing it and it’s a shame, but there is nothing to suggest that anybody is learning a lesson about this in the major governments of any large nation anywhere in the world. So, I think they’ll go right on with their attempts to shackle and hamstring technology and reign it in and control it and it’s gonna continue not to work.Jason SorokoHere’s a weird one, Tim. I’ll mash these up. I bet you you’re gonna have a Western government announce that they want to have their own internet like Russia or China before we announce the death of passwords.Tim CallanOh, ok. Alright. Who knows when we are announcing the death of passwords. I’ll buy that. Once you put that last bit in there, it gives us a big window. Sure. I think that definitely could happen. And then on the government vs. the internet thing, one of the particular real stories to watch is the eIDAS 2.0 story. Right? And eIDAS 2.0 is such a great example of this because I think there’s a lot of good stuff in eIDAS 2.0 and I’m actually mostly a fan of it but one of the things that’s there is this concept is governments attempting to take away control over who are the trusted root providers and as you and I have talked about in previous episodes, who do I think is better equipped to evaluate the right list of trusted root providers? Is it a born and bred technology company, like Google or Apple, or is it Lithuania or Greece or Spain? And I think I know the answer to that. My money is on Apple not Spain.Jason SorokoWell, I tell you, Tim, you’re right and there’s no argument from me on that point but I would even say there’s even another stranger way to look at it which is - - You know, the tack you are taking saying, look, if eIDAS 2.0 is mostly a response to try to keep up with or at least not be shackled to big American tech companies, right?Tim CallanYep.Jason SorokoThat’s a statement we can make, and I think we all agree that that’s what’s really going on. I think though that the rule, the root store that you are talking about, that whole situation with eIDAS 2.0, I cannot still, still cannot figure out why it’s a good reason to force browsers to potentially have roots in the root store that they don’t want to have. And it’s like that’s crazy to me because the only reason why a government would want to do that is for nefarious purposes. There’s no good reason. So, folks, government vs. the internet, it’s getting crazy out there.
Tim CallanYep. Government vs. the internet, for sure, and eIDAS 2.0 is just the latest example. And again, to repeat some of the things we’ve said before, this isn’t a rant. This is the European Union, right?Jason SorokoYeah. And that’s why I said, you know, a Western government wanting it’s own internet. It’s whacko. It’s gone that far. Lawmakers in these countries have now decided that through policy they’re going to do very, very unnatural things to distributed systems. And it’s just silly.Tim CallanAnd again, it is a misunderstanding of what distributed systems are. It’s a misunderstanding of where their power lies and where it doesn’t, and it doesn’t work. I mean governments have been trying to do this for a decade and whenever they try to control technology, they break technology and they’ll do it again.Jason SorokoI don’t think these predictions were Canadian enough either, so you might be in a lot of trouble.Tim CallanOh yes. How about this – a special bonus prediction. Jason is not Canadian enough and he gets packed away to the Gulag for not being Canadian enough. Ok. There you go.Jason SorokoThat’s a guarantee.Tim CallanThat’s a special gift. That’s a guarantee. Alright. Well, there you are. That’s our set of predictions and I guess we’ll come back in a year, and we’ll see how we did.Jason SorokoLet’s do it.Tim CallanAlright. Thank you, Jason.Jason SorokoSee ya, Tim.Tim CallanThis has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
