ITU-T Update: Mark Pecen and Alex Truskovsky Talk Quantum-Safe X.509 Certificates

Published on Apr. 24, 2018

In April 2018, at the ITU-T Headquarters in Geneva, Matthew Dalais of ITU interviewed Mark Pecen, Chief Executive Officer, and Alexander Truskovsky, Senior Product Manager, about quantum-safe X.509 digital certificates and the most recent revision of this key standard in the public key infrastructure.

Mark Pecen provides a brief introduction to quantum computing and its threat to cybersecurity in general, shares his own motivations for working with international standards organizations, and discusses how he views the timeframe for the X.509 standard.

The threat of quantum computing on cybersecurity

Pecen discusses how many problems unsolvable by today’s classical computers, will soon become easily solvable with the introduction of quantum computers. Problems such as, “integer factorization and discrete logarithm problems, both of which protect our information on the internet,” are two such problems, that when solved will leave our data vulnerable to attack if we have not yet implemented quantum-safe cryptography.

Involvement with international standardization

Pecen also outlines that he believes it is vital for serious and sophisticated users of cryptographic solutions, such as governments and OEMs, to work on an internationally compatible playing field, meaning that they comply with existing standards globally. He states that he sees international standardization as the most effective tool to achieve this goal. In addition, he highlights his appreciation for the many experts that join to work with standards and the credibility that is achieved via strong collaboration.

The timeframe for X.509 and its revisions

The revision to the X.509 standard involves adding separate hybrid certificates allowing for the coexistence of new and existing infrastructure and certificates, reducing the complexity and cost of public key infrastructure migrations. The vote regarding the revision to this standard will take place in September.

Alexander Truskovsky further discusses revisions to the X.509 standard, how they guard against the quantum threat, how crypto-agility will be incorporated, and where he sees the future of X.509.

How X.509 revisions guard against the quantum threat

Truskovsky explains how today’s organizations rely on complex infrastructure that is costly, complicated and time-consuming to migrate to a quantum-safe state. With an understanding that the only protection against the quantum threat is to migrate to quantum-safe cryptography, it is crucial that X.509 finds a way to increase the efficiency of this process.

Our contribution makes X.509 certificates more crypto-agile, reducing the overall cost and complexity of migration. Increased crypto-agility means the certificates will be able to support both classic and quantum-safe algorithms simultaneously, allowing organizations to experience smoother and easier migration phases.

Why crypto-agility is a vital revision

Currently, X.509 is designed around a single crypto-algorithm that may only be migrated if it is either duplicated, or a forklift upgrade is performed requiring that all systems be shut off and replaced. Each of these processes is highly impractical for large organizations. He makes clear that by adding crypto-agility, we are providing an alternative migration option that allows infrastructure to remain secure throughout implementation phases.

The future of X.509

When asked about the future of X.509, Truskovsky stated that this certificate has been serving us for 30 years, is the most widely used certificate in the world, and is expected to serve for many more years into the future.