Podcast
Root Causes 450: 2025 Predictions
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
December 23, 2024
We make our 2025 predictions. Topics include maximum certificate term, AI, post-quantum cryptography (PQC), deep fakes, and more.
Podcast Transcript
Tim CallanLet's go Season 2. And it is near the end of the year, and we are all ready to do our predictions for 2025.Jason SorokoWe've got to look forward. And there's a lot on our lists, I think. So let's go.Tim CallanThere is. And you made a list. I made a list. We didn't compare our lists. We decided yesterday, coordinating for this, they were gonna operate off your list, and then if you hit an item I had, we'll just cross it off. If you hit an item and I said the opposite, we'll have a nice debate. And then afterwards, I'll just pick up anything that is different between them.Jason SorokoNo problem. Let's do it.Tim CallanThat works. So, Jason, Prediction #1.Jason SorokoIs 2025 going to be the year that short certificate lifespans isn't just being talked about or isn't just a proposal, it's actually going to either pass a CA/Browser Forum ballot or go through some other process, Tim?Tim CallanHere's what I wrote. A concrete schedule for TLS lifecycle reduction is in place and starts in 2026. So that's one of my predictions. Yes.Jason SorokoGood stuff.Tim CallanI think 2024 we saw a great deal of progress in this area. And leaving the year, we are poised for something to be codified, either - and I would say preferably through CA/Browser Forum ballot. I would really like it to be through a ballot, but if needs be through a browser root program requirement. And I don't think that the major browsers are just going to let the year go by if a CA/Browser Forum can't get there. I don't think they're just going to let it go. I think they're going to take their own action.Jason SorokoI agree with you. Would it be a first if a shortened certificate lifespan were to actually pass by ballot?Tim CallanI don't know if it would be a first at all, because I don't remember off the top of my head whether the three-year restriction passed by ballot or whether it was a root program requirement first.Jason SorokoThat's the one I'm wondering about.Tim CallanBut it's definitely rare.Jason SorokoI know that the last two were not by ballot. It was a root store requirement.Tim CallanSo in all fairness, capping certs at all happened by ballot. Like the three- year EV requirement happened by ballot. Or the two-year EV requirement, rather, the three-year code signing requirement happened by ballot. And the three-year moving down to two-year S/MIME requirement happened by ballot. So it seems that two/three-year kind of time frames are very passable in the CA/Browser Forum. I think it's the shorter stuff where we're finding that it's not.Jason SorokoI am with you, Tim, in that I hope it is by ballot. That would be just great.Tim CallanSo that's one we're in alignment. We both had the same thing, and I can cross one off my list.Jason SorokoThat's great. I had a feeling that would be. So, Tim, I tell you what. There's really not a lot of order here, except that I wanted to talk about new taxonomies, new wording for things that are going on in digital identities right now. And that is, there seems to be two camps. Maybe there's more, but one of the camps is human identity - used by everybody - in a binary sense, against non-human identity ? NHI. I'm starting to increasingly see that from the non-traditional identity players who aren't right in the CA or the CLM space. So in other words, human versus NHI, as the two parts the concept. Then, of course, there's the other camp that breaks it down a little more into human and then machine identity, which then further breaks into device workloads, etc. And so those are the two camps that I'm seeing. I'm wondering if in 2025 we start to see a blending or a shakeout in the terminology that's used in our space.Tim CallanIt's interesting. We've seen this with other things. And I think when you say that, I immediately think about discussions you and I were having about four years ago, about what to call, what ultimately wound up being called, PQC. And I'm not sure that PQC was the best choice, but it's what everyone settled on. I don't know how these things happen. There's some secret cabal decides and we all have to do it or something, but I think yes, you and I should be the secret cabal. I agree. So then when you do get these kind of warring sets of terms, you have to collapse on one, or it makes discussion really hard.Jason SorokoIt's already hard enough. Because people like us who are inside baseball, we know the subtleties. We know where these things are coming from. We even know the personalities that come up with these things. But for the average person who is trying to do defense and procure these technologies, they might be thinking they're different things, when in reality, it literally is just a different way of categorizing ideas.Tim CallanSo are you picking a winner or are you just saying that it's gonna have to get settled?Jason SorokoNo, I'm not picking a winner yet. I really don't like either scheme. I'm just like you on PQC. I think it could have went a better way, and I don't even think it's gonna go a great way with these new taxonomies. But it doesn't matter. Let's pick one and be really clear as an identity industry. That's all I'm saying.Tim CallanGood. That's prediction number two. We're gonna settle our taxonomy around human and non-human digital identities.Jason SorokoSo I think the next thing I want to do is we'll start to get into categories of predictions, because some are going to be under the big topic of AI or quantum, etc. Let's start with AI, just because I think quantum is going to be interesting towards later on.
Remember how we're going to talk about this during our lookback in 2024 episode where we talked about how was a Western nation going to say, hey, we want our own internet. I think that a sovereign, a sovereign chunk of the internet becomes something separate. I think what you're going to start to see with AI is sovereign AI.Tim CallanSo sovereign AI, meaning AI that is operating independently of human oversight?Jason SorokoNo. It's definitely under human oversight, but it is under some form of influence by government, and is regional in nature, and it will be enacted upon by large telcos.
So in other words, there might be some sort of policies written into laws. I'll give you an example. Europe is quite, quite far ahead - and this is a podcast we should be doing soon - about all right, safety and rights with AI, because it's a major concern right now.
And so Europe might say, if you're going to deal with the European Union, if you're going to use AI as part of your services, they have to be an AI ae approve.Tim CallanNow this, this is shades for me, of a lot of conversations we've had before.
And I think you can probably predict where I go on this one, which is, I don't trust their confidence and I don't trust their good intentions.Jason SorokoLet me put it this way. There is already so much bias in AI, even from the large US tech firms, that specialized bias that is more nation state based is inevitable to me. In 2025, you're going to see more of it.Tim CallanI think kind of in a free economy, if you want to make your AI however you want to make it, people can choose to use it or not, and they can live with your bias or not, I get nervous about this force. This control by Fiat of which technology solution we will use under which conditions. That's where we get into ground that I get extremely uncomfortable with.Jason SorokoGet ready for it.Tim CallanAll right. That's a good one, Jay.Jason SorokoNext one under AI. Sam Altman, CEO, OpenAI, had been talking about when is AGI, artificial general intelligence. Which is basically, I think the rough definition is AI that is at the intelligence of a very intelligent human being, or the smartest human being. That will be a major moment. An ah-ha moment. And here's my prediction. There have been people, Sam Altman included who said 2025. I'm going to predict you will not see it in 2025. And that's an important prediction because if it was in 2025, oh my god, all hands on deck, because it's going to change the world. I think that - and here is my thinking - is that AI has hit the wall of scaling. And we're gonna have a lot more conversations about this during these Toronto sessions, but I think that this shift to more clever thinking about how AI is going to proceed, it won't just be from cheap, cheerful and easy scaling, which has got them to where they are right now. Therefore AGI, not 2025.Tim CallanI mean it's interesting because if you think about there was a, let's say a six-month period where it seemed like the progress in AI was ridiculous. If you compare AI today to what we had a year ago - not super different.Jason SorokoI think you're seeing where I'm going with my thinking. And this is not a big news item. I'm just putting my foot in the stand saying, let's at the end of 2025 see where we're at. I don't think you're going to be having AGI at that point.Tim CallanSo, and I don't know if I'm going to step on another one of your predictions here. In terms of the core tech, I agree with you. I do think over the course of 2025 though, we are going to see the complete, the end, of something that started in 2024 which is the complete and utter - what's the word I'm looking for? Applicationization. Is that a word? The complete and utter integration of AI into every conceivable use case, even the ridiculous ones.Jason SorokoNot only are you leading into my next prediction, but this is literally the next prediction. And it has a name. And it was even part of OpenAI's own predictions about how the progression of AI would be, and we call it Agentic AI. Now it's going to take on a lot of other names, because people are going to apply it in different ways. But underneath the hood, AI had a first mile problem where it needed to get data. And it was hard. And then it'll use its intelligence to do things, think about things, and optimize the system. And then it needed to solve the last mile problem to actually do something. And so Agentic AI is literally the phase change that we just went through at the end of 2024. And by the way, this is not the prediction. The prediction is coming. I'm about to tell you this.
The prediction is this. Because AI, at the end of 2024 went supernova with Agentic AI solving the first mile problem, solving the last mile problem, I think that people who are studying the offensive side of this now know that they have an even bigger in in enterprises. If that's the case.
In other words, if you're automating the heck out of absolutely everything, that's a big attack surface now for the bad guys.Tim CallanSo if I can trick, just to put it in layman's terms, if I can trick the AI, I now have this very empowered agent with a huge amount of privileges inside the target, that if I can get that to do the wrong thing, if I can get that to do the things that I want it to do, which are not in the best interests of the owner of that AI, that is a major potentially powerful attack surface.Jason SorokoStay tuned for a podcast on that in this Toronto Session.Tim CallanSo are you predicting that we're gonna start to see news articles about this occurring in the wild in 2025?Jason SorokoAgentic AI went supernova 2024. What's the very next step?Tim CallanI think so.Jason SorokoYou got it.Tim CallanThere's another one.Jason SorokoThere you go. So, Tim, Google had a blog in October of 2024 - Moving Forward Together - which I think was their second version of that blog. And I don't know how many people read down.Tim CallanThey did publish a major update pretty recently.Jason SorokoIn October 2024. And one of the things I found very interesting was discouraging usage of publicly trusted certificates for purposes other than the one use case.Tim CallanI know where you're going with this. It's a call to action for subscribers, for users, to cease using public certificates in use cases that are more appropriate for private certificates. Is that your point?Jason SorokoThat is 100% the point.Tim CallanThis is definitely one of the things that the Chrome team has made into a pretty strong statement in recent times, during 2024, because and the reason for that is this goes back to conversations we've had in the past, and certainly we'll have in the future about the Bugzilla blood bath, because a big element of the plague of DelRev incidents that is still going on, the DelRev epidemic that is still occurring, is supposed situations where they're too fragile and critical for public certificate life cycle requirements. And we're hearing this in terms of delayed revocation. We're also hearing this in terms of shortening certificate lifespans, where as we start talking about making public certs shorter, the similar hue and cry comes up where people on the subscriber side or CAs, who want to represent that viewpoint come up and say, well, they can't cycle these certificates out in this kind of timely fashion. And so the response for both of those coming from Chrome is to come back and say, well, then you're using the wrong technology. There is technology that does this. That's technology you should be using. Instead, you're using the wrong technology.Jason SorokoSo if you read the exact words from Google, really, paraphrasing a little bit. It has to do with this idea that, look, historically, the reason why publicly trusted certificates were used in certain private use cases was because it was just easy. Easier than setting up a private CA. Back in the day. I think what's going on, though, Google said flat out, there's opportunities for innovation in order to allow - I'll use our words - certificate agility in the public realm. And if you have other needs, for example, client authentication. If you're using publicly trusted certificates for client authentication of any kind, you shouldn't be.Tim CallanYou don't need to.Jason SorokoYou don't need to.Tim CallanThat's one where there isn't a case - if it's real client auth - There isn't a case where you need public certs. There just isn't because you own the authorizing system.Jason SorokoSo here's the prediction. Google came out with their 90-day proposal. Apple countered it with their proposal. That was part of our 2025 predictions. And Tim gave you the answer to that. My prediction is 2025 get ready to hear a lot more from Google about public and private certificate usage.Tim CallanAnd I will layer onto that. I agree with you completely, and I agree that that will become a major point of discussion in the industry. And I will layer on to that, that some of the actions that we are seeing proposed in the public certificate space, including reducing certificate lifespan, including requirements and penalties around delayed revocation are in part to address this exact problem.Jason SorokoLet's move on to quantum. Just because we have to. So it's late 2024 as of right now. We're in Toronto in the middle of December, and Willow, the Willow chip just got dropped on us by Google. And I think all the naysayers for quantum need to check themselves, because the naysayers basically said, look, the engineering is just gonna be too hard. You will not be able to achieve error correction at this level, and you'll never have modularization. In other words, double stepping processes in quantum computing. That's exactly what Google just delivered, Tim.
Therefore, when the Willow chip was delivered to the world not very long ago, some people came up to me and asked me, Jay, does this mean that the 2030 post-quantum date gets pulled in? And I said, no, it's probably more like proof. Proof-ish, that we're on track.Tim CallanIt solidifies the 2030 date as a real date.Jason SorokoYou got it. So here's the prediction.Tim CallanI mean the 2030 date, like how do you pull it in? You can't pull it in.Jason SorokoIt's not about pulling it in.Tim CallanIt's only five years away.Jason SorokoI can understand people being worried about pulling it in. I'm just saying the naysayers are the ones at the end of 2024 who they lost their bet. If anybody had Vegas money on this, they lost their bet.Tim CallanSo 2025 is the year that we have broad acceptance among serious, informed thinkers, it's not a science project, it's an engineering driven future. And that this is a thing that we must prepare for, because it will happen, whether we want it to or not.Jason SorokoMy response to some journalist was almost exactly those words, Tim. It is no longer a science experiment. It's good engineering. So what's some good engineering for 2025 and here is the prediction. I think now that we've seen Google release Willow, we're going to see IBM release Flamingo. 2025. Which is going to be the next progression. So my prediction is that this just grinding path of good engineering is going to continue, therefore we will exit 2025 feeling even more like 2030 is a real date. That's the prediction. So, give me second.
Tim, here's a thought for you, just as a side note.Tim CallanAre we still on the PQC topic?Jason SorokoWe are still on PQC. The United Nations has declared 2025 as the International Year of quantum.Tim CallanI didn't know that. Well, and rightly so. So, one of the things that I've maintained is that 2023 and I think this part has held up, 2023 was the year for the industry, for industry, for the technology industry, to wake up to PQC. 2024 was the year for enterprise IT departments to wake up to PQC. 2025 from my list, is the year that we see PQC in production.Jason SorokoYes, and thank you for that. It's almost like we had talked about this ahead of time, but it's a perfect segue into my next point. We're going to be doing a podcast soon on JSON programs of quantum computer, because the democratization of quantum computing through hyperscalers, the big public infrastructures that are the big cloud infrastructures that are out there, they're making these things available. And I got to learn a great deal recently about programming a real quantum computer. Now, a very, very tiny one, a very early one, but nonetheless, there's a lot to learn.
And so this is my next prediction is this learning is so profound, like for old guys like me who program traditional computers, now that you've put me in front of a quantum computer, my whole thinking is changing. And I can't imagine people who are really, really - like they're in the business of programming, they're in the business of thinking about computing and what they can do with a quantum computer. And I think that not even using a quantum computer itself, but by using quantum computer simulators and learning on them, is going to result in, ironically, even more powerful thinking, especially in conjunction with AI for how to get the most out of traditional computers. It's ironic, and I think this is going to be the 2025 lesson in that quantum computers make us think better about how to use traditional computers. That is a prediction that you'll see a lot of people saying, do we really need quantum for this? Because I now know a better way.Tim CallanAnd I can run that on existing, established, cheap, reliable, ubiquitous architecture.Jason SorokoSo my final quantum point is that, of course, we have Apple iMessage, Signal, and now the list is starting to grow faster than I can keep up, but various messaging systems that are using quantum key exchange. Bas Westerbaan, who was on our podcast, talked about, of course, Cloudflare?s major efforts in that and it's tremendous how successful that that is going as far - - I keep up with his blogs, keep up with the celebrations for how well Cloudflare is doing. You're going to see that all over the place.Tim CallanSo you're talking about, basically, implementations of mostly ML-KEM, broadly. That?s kind of what I meant with my shorthand of PQC in production. Like we did see some of that in 2024. We had Cloudflare. Now you still won't be able to do that with a public cert, but I think 2025 is the year where you will be able to run ML-KEM, ML-DSA, in your internal, entirely owned walled garden environments. And we will see that happening in real, real world production systems, starting with the ones that are most sensitive, highest risk. Starting with obvious candidates. Think about a major global financial institution or a government, but yes, I do believe we will. We will be seeing that occurring in real production in 2025.Jason SorokoGreat projection. Getting down to the towards the lower end of the list here. I've got a call out. This probably could be a very much a standalone podcast. Let's see how quick we can get through it, Tim. I think 2025 blockchain will find its second killer app.Tim CallanOh, and what is it?Jason SorokoWell, just spoke about level two to level three AI. Level three to level four AI, has already been demonstrated in that there's a company out there - I'll call them out ? Auto Co, I think, is the way you pronounce it. And they demonstrated a fully autonomous artificial intelligence system creating a Delaware based LLC. And so now that you have, and this is what is known as an on chain corporation based on blockchain. So now every single thing, all the transactions, the business transactions, in a level for AI - -Tim CallanCan all be blockchain.Jason SorokoIt's just blockchain. So what was missing? The missing piece was AI needed to create the equivalent of a person. Well, that's what an LLC is. Now it can do that. Well, the second thing it needs to do is transactions. It's going to put its transactions on the same chain. And I think that level three to level four AI, is the second killer app of blockchain.Tim CallanFascinating.Jason SorokoAnd that will happen 2025. Look a couple other ones. Because I just, I think it's worth calling out. I don't want to get into politics here, too, too much. But we're in a crazy political world end of 2024.Tim CallanWe are.Jason SorokoWorldwide. Not just in our Canada or the United States. Worldwide, things are interesting. Let's call it that. I think some of the things you're seeing in the world right now that are just uncomfortable or weird, and some of the brazen nation state attacks that are going on right now. I think unfortunately, 2025 might be the year that we have to change what we've said, Tim, you and I, about OT systems and the fact that we think that the bad guys - call them whatever you will - nation states that are adversaries have been extremely disciplined in not attacking OT. Excessively.Tim CallanA lot of people speculate that this is basically a mutual assured destruction situation? I can take down your power grid, but you're going to take down mine. You think we start to see those things really happen?Jason SorokoI think in 2025 it's the year it's going to ramp up, and you might see at least one or two where you go, where you and I will have a podcast on it, and we're going to go, whoa. And so we can't just pay lip service into OT security anymore. We're gonna have to do real, actual security.Tim CallanThat's a tough one. That's a hard one. That's not so easily actioned.Jason SorokoI'm not saying the actions will be effective at all. I am saying, though, the wake up call will happen in 2025.Tim CallanThat's interesting. I sincerely hope that we're sitting here a year from now, going wrong, but - -Jason SorokoI would love to declare that one wrong.Tim CallanBut I think there's a very real risk of that.Jason SorokoFinal one, Tim, and I want to circle it all the way back to the public trust. And this is my question to you about, what do you predict about the long tail of Certificate Authorities. Reading Ryan Hurst blogs at the end of 2024. You're plugged into this world. What happens to the long tail of CAs 2025?Tim CallanSo I think I'm going to tie this into the first one I'm going to bring up.Jason SorokoPerfect.Tim CallanWhich is, I'm predicting a general tightening up of the WebPKI. I think the WebPKI was extremely loose. Was badly out of control in the early teens, the 20 teens, and we got some basic control and expectations and normative behavior in place. In the last few years, maybe the last five years, the progress on upping the ante on security and reliability and predictability and trust has gone down tremendously. We've seen a lot less progress, and we've seen pressure building up around that which blew up in the Bugzilla blood bath, the DelRev incidents, the pressure on shortening certificate lifespans, all of that. I think we will see a general across the board, tightening of the WebPKI, in a number of ways in 2025 as various parties, driven by the browsers, where the power is, say, look, we've had enough. You guys are like a bunch of unruly teenagers, and we're going to put our foot down, and we will see a tightening of the WebPKI in a variety of ways across the boards. This isn't being me some great seer, because there's been a lot of conversation about this. Like we're seeing an appetite from the browsers to push these things in a way that we haven't seen in the last few years. And I think part of that was COVID. I think when COVID rolled around, everybody got real conservative about this kind of thing for a while. Now that we're coming out of it, there's been a dearth of progress, and there's an appetite to make up for it. As part and parcel of that, yes, the question has been asked, do we really need 80 CAs? And it's important to remember that every CA is equal in its level of threat to the WebPKI, regardless of the amount of the real usage that it has. So it would be a fallacy to say, well, if you take four or five CAs, they account for 99.99% of the certificates out there. So as long as those four or five CAs are good, you're okay. That's a fallacy.
The way to think about it is, if digital identity is a wall that keeps out the invaders, then every CA is a gate in that wall, and every gate is equally large, and every gate is equally suitable for invasion. And every gate must be protected. And if a gate is well protected, like, let's say, Sectigo, but a gate next to it is entirely unprotected, like some of the ones that were distrusted in 2024, then the invaders will just go through there. And so if you can't protect all the gates, another thing you can do is brick them up.
I do think that there will be more distrust events by root programs in 2025.Jason SorokoThere's the prediction.Tim CallanI do not think there will be a wholesale house cleaning. I do not think we're going to suddenly go down to 30 CAs. But I do think there will be more distrust. And I think this conversation about why on earth do we have 80 CAs, when we probably could do it with 10 is a conversation that will continue.Jason SorokoVery good, Tim.Tim CallanSo there you go. There's my WebPKI tightens up. Shall I go down a few of mine? So, excuse me if we return to the AI topic real quickly. I want to go back to deep fakes. I think 2024 was the year that deep fakes moved into the popular understanding. And we predicted this. I think 2025 is the year that, in general, we give up on any concept of believing in the veracity of a so called recording without independent confirmation.Jason SorokoThere's absolutely no question. So if you watch social media at all, it's now become commonplace to watch world leaders, literally rapping together. And some of them really do look like an AI thing, and it's fun. But now with Sora being released, and there's some incredible video AI going on out there, and certainly audio is, it's as good as reality already. You can be shown video to your face that is undistinguishable from reality. And I totally agree with you. We all have to change our minds about what we consume and what we believe we're looking at.Tim CallanAnd just, just kind of fundamentally be a skeptical of a 'recording' as you would be of hearsay. Oh, can you believe that such and such said this? I don't know if he said it. And that's the same way we're gonna get even if you supposedly see the person saying it on video. I think that is 2025 is where that's gonna kind of move into the common understanding.
Another one. I think 2025 certificate automation, CLM, ACME, all of that. Let's call it certificate automation and certificate agility becomes a de facto boardroom topic. What I mean by this is that if it's not a boardroom topic or not already solved, you are in the minority. That is my prediction for 2025.Jason SorokoI gotta tell you, that's a big swing.Tim CallanThey're gonna flip. It was a little wedge of people who were thinking about it, and a giant pie of people who weren't. They're gonna flip in 2025.Jason Soroko100%.Tim CallanThere'll be a little wedge of people who aren't thinking about it, and a giant pie of people who either are or have already addressed it.Jason SorokoBetween the shortening of certificate lifespans, between PQC and between, hey, we've got better things to do than to manually swap out certificates every 30 days.Tim CallanAnd outages, like, they keep right on going. Still see headlines. Like, all of these things are gonna combine. This is the year where we see that occur.Jason SorokoThank goodness. But thank you for that, Tim. Agreed entirely.Tim CallanThen connected to that, this is a topic you and I have touched only a little, but I still think it's really interesting. I think 2025 is the year that we see the emergence of a bona fide category that I'm gonna call namespace management.Jason SorokoThat is so badly needed. We covered it.Tim CallanWe've talked about it like one or two episodes.Jason SorokoAnd it was important.Tim CallanBut we need to talk about it more.Jason SorokoNo, in fact, that is something we need to podcast on definitively. I agree with you. That's huge.Tim CallanI mean, it's a big need. It's a big opportunity. We've seen tech providers emerge who can do this. It has real utility. There are attacks, real world attacks that are coming around weaknesses and namespace management. I think this is the year that we see this emerge as a bona fide category, well, it'll still be forward thinking organizations that are doing it but where it we all start to look at is okay, this is a real thing that is on my security playlist.Jason SorokoPerfect. And I'm glad for it.Tim CallanI agree. I agree. Vendor assessments. Tim's favorite hobby horse, except for delayed revocation. Vendor assessments.
Vendor assessments become basically ubiquitous. They get longer. They get more detailed. They get more exacting, and they just are everywhere. I think 2025 is the year of the vendor assessment. It's getting to the point, I mean, there's new legislation coming out for financial institutions, setting minimum standards for supply chain assessment, and they are very exacting standards. And this is happening in multiple countries for regulated industries, and it's going to be very, very normal.
Now, what I'm not predicting for 2025 which we need, is a standardized way to do this. Like there is absolutely no reason why there couldn't be a list of 1,000 questions. They're the same 1,000 questions, and we all know what they are, and we all go to get an answer once, and then everybody just gets our list. We do this exactly once. Same questions in the same order, with the same numbers next to them. That is something we need. I do not believe that's happening in 2025. I think it really should, and I would like to see that, but I don't think that's going to come together this year. But I think this year, this is going to be just everywhere. And as part of that, there will be the emergence of this as a major pain point, as a crisis that needs solving for the enterprise, as we find ourselves in this situation where you can't operate because of the vendor assessments you're being subjected to.Jason SorokoVery good.Tim CallanSo that's one. So returning to AI and PKI, there was a conversation that you and I had prepping for this, and I think we want to bring it up here, which is, I came in with a prediction which is that PKI is going to continue to be relatively unaffected by AI. And then you push back on me.
So let's start with my prediction. My prediction is that of all the things in our grand world that are being transformed by AI, PKI has come out pretty much unaffected. And I predicted the same thing for 2025 and then you said, what?Jason SorokoThe reason why I agree is because it is such a like the steps to perform PKI properly do not require reasoning. They do not require. The steps are defined.Tim CallanAI is great for things that are fuzzy, nebulous, things that, for want of a better word, I'll say, require judgment. And PKI is the opposite of that.Jason SorokoExactly.Tim CallanPKI requires exactitude. And exactitude, sorry, is one of the things that our LLMs aren't all that good at.Jason SorokoThey're not good at all, especially right now. Hopefully get better down the road, but at the moment, you're absolutely right.
There's two aspects to this, and we could probably come up with more of the pushback and the however, and one of them is going to be, look, there's a lot of first and last mile problem that we have in the identity industry that Agentic AI will be ideal for. So that's number one. But that's not how you generate a public and private key.Tim CallanThat's like applications and use cases of PKI, which is important, it's not basically the same as the actual bits and bytes, the ones and zeros of the PKI.Jason SorokoI will say that on the offensive side, this is where we have to think about AI. Because the mistake to make is, we're a prescriptive industry, for very good reason. The steps are clear. We don't need some sort of artificial reason and judgment. However, that's exactly what the bad guys need. Therefore, attacks against RSA, for example, and I'm talking about classical reasoning like symbolic algebra, where entire swaths of number space are the reason why traditional computers can't break RSA. Well, what happens if you take concepts such as quadratic sieves, which is like some of the best thinking in terms of minimizing the amount of brute force you have to do to look at prime numbers in that number space and reduce the problem set. Well, AI is particularly good at creatively looking at entire sets of problem set, much more than the human brain can, and say, oh, I know how to do something equivalent to quadratic sieve now that you've trained me on it.
And I can do it 100 times better. And I'll tell you what. Think about this. This is what's interesting just in terms of - and I think we're gonna have a whole podcast on this. If you have maybe - I'm going to throw the number at you, Tim - eight people in the world who are the true experts, at the possibility of breaking ECC or RSA, maybe, let's say there's less than two handfuls of people who really are the true experts. And I think you said it best when we were talking about this. They have weekends and children.Tim CallanThey go to baseball games.Jason SorokoThey're human beings.Tim CallanAnd they go to weddings and they sleep, and they do all these really kind of disruptive things that prevent them from being productive.Jason SorokoMake AI 8/10 of the way to those guys, and women, and oh my goodness, that AI won't sleep.Tim CallanWell, first of all, it won't sleep. First of all, it'll work around the clock all the time. Second of all, just throw more chips at it. And instead of having 8 people, you can have 800 people.Jason SorokoWhat happens if you go from 8 to 800 to 8,000. And all of a sudden, whoa. You might have classical mathematics improved.Tim CallanSo you can imagine a scenario where there's this army of helpers who are investigating every squirrely angle you can think of, no matter how unlikely, and coming back with everything that seems interesting and then those eight people who really know this, can sort through it, pull those lumps of gold out of the sand, and that could be a real, a real game changer in terms of attacks against cryptography.Jason SorokoThat's my point.Tim CallanIt's interesting. Again, let's hope not, but it's something to be worried about.Jason SorokoIt comes down to the question of, will PQC break RSA first, or will classical mathematics break it.Tim CallanClassical mathematics with AI-assisted classical techniques break it. I love it.
And then the last one, just because I have to say it, because I always have to say it is, I think once again, 2025, as every year as long as we've been doing, this is going to continue to be the year of government versus the internet. There's no sign of anybody letting up on their viewpoint that governments want to control and break the internet, and they're trying to break the wheel of technology continually, and they're going to keep right on doing it.Jason SorokoIn fact, Tim, we're going to do a podcast on what I think is the - - we have just entered the third phase.Tim CallanYes, yes. That's a little teaser for a feature episode, third phase. So that's it. Bunch of predictions. And as you and I have decided to do, a year from now, we'll come back and we'll see how we did.Jason SorokoHow well did we did. So thank you so much, Tim. That was great.Tim CallanThanks, Jason. This has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
