17.02.2021

The New Normal of European PKI – An Interview With CA Expert Adam Ross

The roundtable «Evolution of Trust: Get ready for PKI 2.0» was about the most confusing, yet vital topics that remain puzzles to many cybersecurity experts. Has COVID-19 affected the PKI landscape? eIDAS and PKI: how do they correlate? What will bring the growing importance of public CAs? We interviewed Adam Ross, product and sales manager of cryptovision, and asked him the most tricky questions related to the new normal of the European PKI.

Adam, would it be accurate to say that eIDAS acceptance shapes the European PKI?

Yes, in fact I would contend that eIDAS is not only driving the widespread adoption of PKI in Europe, but it is actually shaping the adoption of PKI in other parts of the world. Since many European countries have been using PKI for many years, and in some cases decades, the EU standards bodies like ETSI and CEN have made a rich body of standards that other countries can leverage. This is often reflected in public tender procurements outside the EU having requirements that could be considered eIDAS-like.

Why do you require CMS if the basic tasks of certificate management are performed by a CA? In your opinion, where is the border between CA and CMS responsibilities? How to correctly distinguish the tasks between these two systems?

One of the biggest challenges in any PKI is ensuring a high degree of identity assurance. When using software digital certificates alone, there are challenges as it is possible to create perfect copies of the private key when used as a P10 or PFX file. In order to address this challenge, hardware based secure elements are used to prevent the extraction of key material and CMS systems are instrumental to manage the digital certificate and the associated token together in concert. It is possible that CA who mint certificates will outsource card and token management to 3rd parties, but this can only be done when both organizations strictly adhere to protocols and processes documented in the Certificate Policies and Certificate Practice Statements. When both organizations are in compliance, all tasks would be reportable and auditable by supervisory bodies or external auditors.

Is there a trend to switch from hand document signing to electronic signature? Does it have legal power?

The new normal of remote office work is a key driver to processes that can be trusted at distance. Digitalization is one of the biggest enablers to implementing significantly more efficient workflows. Why should an employee who is working from home have to download a form, print it, sign it with an inked signature, then scan a copy and email it to an approver? A streamlined process where a form can be digitally signed could literally save hours, or in some cases even days while also adding aspects of identity assurance and fraud reduction. Under eIDAS both advanced and qualified electronic signatures have the same degree of legal recognition as an inked signature.

What is the relevance of public CA in the new norm?

Public CAs will have a growing significance as the scope of electronic services grows. The use of digital seals for communication from public agencies to customers will lead to greater degrees of trust between parties and related services like time stamping and electronic registered delivery services can be regarded as an evolution of traditional services offered by postal agencies or notaries. As trust service providers, these CAs will help to keep business and commerce moving along even when our own ability to travel might be impacted.

You still have a chance to catch up with the latest PKI trends. Just request the video recording of the roundtable «Evolution of Trust: Get ready for PKI 2.0».

request the video

More