September 4, 2017

Blog post

Don’t get run over by quickly changing PKI standards

Keeping up with standards

As cybersecurity gets more complex and the threat landscape evolves, PKI is there as always as one of the underpinnings of a robust security infrastructure. As technology evolves faster, so does the PKI, and your teams that are responsible for operations must be on their toes to keep up. Running a PKI is requiring more from your team for a number of reasons.

Technical standards change fast

Technical standards evolve fast with new protocols and algorithms taken in use, and old ones being phased out as insecure and insufficient. New products in your environment uses new protocols to communicate and new algorithms for protecting their communication. On the PKI side, we see new protocols such as EST and extended use of REST APIs as well as changes in how older protocols as used such as OCSP with the introduction of OCSP stapling. New algorithms such as ECDSA and RSA-PSS are quickly coming to the main stream. Neither your old PKI nor your old systems were equipped to handle this 5-10 years ago and a transition and continuous evolution is needed to keep systems secure.

Audit requirements become stricter

If you are in a larger enterprise or in a regulated industry chances are high that you one way or the other will be affected by audit standards like WebTrust, eIDAS or industry specific requirements such as CAB Forum. In addition to these there are other domain specific requirements such as Certificate Transparency for web server certificates, Cloud-, IoT and Grid security standards. More regulations are coming. In response to increased threat awareness audit standards are also rapidly evolving and keeping up, meaning that it is nothing you implement once and after that can rest. You must keep abreast with new changes in the requirements every year. Examples where strict guidelines have changed recently, and you need to adapt, are for TLS, code signing and digital signature certificates

Software change faster

You may think that you are not affected because you only run an internal PKI in your organization, and that these standards only affect regulated CAs. But that can be a dangerous assumption. Much of the software in the eco system, such as web browsers and email clients that your users rely on everyday also change rapidly in response to new threats and updated requirements. Therefore, you may find that if you don’t keep yourself updated, your users can not one day connect to your internal systems, or are faced with security warnings, after a simple web browser update.

Be educated and keep security and DevOps together

Keeping up to date is hard for seasoned security experts, so how can the normal enterprise be on top of it? The simplest recommendation is that if you are affected by any of these standards you should set time aside for a person responsible for compliance to monitor the landscape and plan changes in good time. Changes are usually announced well in time before going into effect and with good planning these changes can be rolled into you normal DevOps routines. Security today is an integral part of an agile enterprise and security and operations teams must work closely together, align goals and plan activities together.

Upgrade your PKI systems

PrimeKey spend a lot of time implementing new standards and features as they emerge, both in EJBCA for the pure PKI and in SignServer for time stamping and digital signature standards. Our aim is that new versions of our solutions containing the features you need to be compliant are out there in good time. We love working with you to understand your talk about new requirements. Keep your systems updated with Support & Maintenance



Tomas Gustavsson

Tomas is the co-founder and CTO of PrimeKey. He has been implementing PKI systems since 1994. As founder and developer of the open source enterprise PKI project, EJBCA, contributor to numerous open source projects, and member of the board of Open Source Sweden, Tomas is passionate about helping users worldwide to find the best possible PKI and digital signing solutions.