The PKI Guy talks standards with Dean Coclin, chair of the ASC X9 PKI study group

Q&A with Dean Coclin, chair of the ASC X9 PKI Study Group and senior director of business development at DigiCert

TPG: Tell us more about the goals of the ASC X9F PKI Study Group.

DC: Let’s start first with ASC X9. ASC X9 is accredited by ANSI (the American National Standards Institute) to develop and maintain voluntary consensus standards for the financial services industry. X9 has over 100 member companies and over 250 participating member representatives. The group has over 40 years of experience developing domestic and international standards for the financial services industry. X9 has five subcommittees, which are responsible for 125 standards. The PKI Study Group falls under the X9F subcommittee called “Data and Information Security.”

Now for some background on the Study Group: X9 member companies and the financial services industry have traditionally relied on the public web PKI to secure financial transactions. Companies have used these PKI certificates outside the public web PKI. The public web PKI is overseen by the browser companies (Apple, Google, Microsoft), who also have the authority to dictate changes to those certificates.

The reliance on web-based publicly trusted root certificates for non-web-based use cases has led to serious issues for the financial industry. For example, when browser companies decided to stop using the SHA-1 protocol and prohibit Certificate Authorities from issuing SHA-1-based certificates in a very short time, this had a big impact on existing payment terminals that had not been fully migrated by that date.

In Phase 1 of our study, the group looked at all the use cases of PKI in financial services and concluded that continuing to use browser-based publicly trusted certificates for non-browser use cases poses an unnecessary risk to this community, by allowing a third party not related to the financial industry to control these certificates. Our report was presented to the X9 Board in November 2019. The board authorized a Phase 2 of the Study Group to commence in 2020, and I am now leading this effort with my vice-chair Bill Poletti.

TPG: What are financial services’ needs when it comes to PKI?

DC: Phase 1 of the Study Group identified 26 use cases for PKI in the financial services sector. Examples include financial TLS, blockchain, code signing, device authentication, ATM and POS PIN encryption key distribution, and TLS Point of Interaction services. The group then ranked them by usage, risk and priority, which generated an overall importance score. From this list, the top six were selected as needing further review and will be studied as part of the group’s Phase 2.

TPG: What are some of the changes you expect to see and implement?

DC: Our group’s Phase 1 work made it clear that moving away from the public PKI for as many use cases as possible is necessary to reduce risk to financial services. While this is not possible for browser-based financial services interaction (i.e., on a website), it’s certainly doable for other use cases. How this will be done is at the core of Phase 2’s responsibilities. There are several models to explore, including an X9-specified PKI, or perhaps utilizing an X9 “bridge” approach to allow multiple financial PKIs to interoperate to a common standard.

TPG: What is DigiCert’s role with the group?

DC: DigiCert is an X9 member and has participated in various subcommittees over the last few years. In 2018, I was appointed Chair of the X9F PKI Study Group. Personally, I don’t come from a financial services background, but I have served as Vice Chair and Chair of the CA/Browser Forum as well as of several other working groups. It actually works out well, as I rely on the Study Group members and their expertise to drive the technical discussions, while I try to put some organization and boundaries around the topics to get us to conclusions. It’s safe to say that I’ve learned a lot about financial services since I started working with this group.

TPG: What’s the latest with certificate management?

DC: The buzzword around certificate management is automation. The need to manage multiple certificates and shorter validity periods means that organizations cannot rely on spreadsheets and manual certificate installation methods. Being able to automatically update a certificate when it expires or needs to be revoked has big benefits with respect to labor, downtime and productivity.

TPG: How does X9 work with other standards organizations?

DC: ASC X9 represents the United States on three ISO technical committees. We’ve always made a point of collaborating with other organizations in our field. X9 has alliances with multiple organizations involved in financial services. Examples include the PCI Security Standards Council, ISO TC68(ISO 20022), INCITS, OMG, Afinis, ISITC, the Information Systems Security Association (ISSA) and others. These alliances are used to exchange ideas and information, and to seek technical expertise that may not exist within X9.

TPG: What are you hoping to achieve specifically with the PKI Working Group? And when?

DC: Phase 2 of the Study Group is chartered to complete its task by the end of this year. We have to develop a set of practices and policies around the top six use cases identified in Phase 1. We are tasked to come up with an audit framework, a financial analysis and a model for how an X9-specified solution could support this industry. That’s a tall order in a relatively short timeframe.

TPG: How has PKI changed/evolved in the past few years?

DC: While the underlying technology supporting PKI hasn’t changed much, the use cases for PKI continue to expand. Places where you never thought much about certificates being used are opening up due to the need for authentication, integrity and encryption. Devices as basic as cameras and cable boxes to complex systems like autonomous automobiles and industrial control systems need to include this technology to prevent spoofing and traffic interception.

Also, the web PKI use continues to grow as browsers change their user interface to warn users that they are not on encrypted pages. This drives all websites to acquire TLS certificates, and recent statistics show that we are at about 88% encryption across the web. There are over 80M certificates in use on websites today. Our focus is on modernizing PKI management and delivery capabilities to suit this expanded use and simplify deployment.

TPG: What do you think is on the horizon for cryptography, especially with quantum computers?

DC: Quantum computers hold significant promise in solving complex mathematical problems that could greatly help society. But they can also use that power to factor the large prime numbers that are the basis for RSA-based encryption. Hence, the industry is looking at “quantum-safe” algorithms, often referred to as post-quantum cryptography (PQC), which would be immune to the risks that a quantum computer would pose. We believe there is still time to investigate this.

Luckily, the National Institute of Standards and Technology (NIST) in the United States is evaluating several quantum-safe algorithms and will select “winners” in the coming years. On a side note, my company is testing these PQC algorithms and paying a lot of attention to these developments as well. Several promising solutions are out there, and the financial community is evaluating them as part of the X9F5 subcommittee. Additionally, X9 has formed a group to study the risks to the financial industry from quantum computers. Its first white paper is available on the X9 website: https://x9.org/.