He Bequeathed You His Instagram Account

What happens to cryptographic keys after you die?

In Japan, citizens have been advised to give loved ones access to their smartphones and subscription details to make a post-mortem cleanup easier.

This story, reported in The Register, reminds me how short-sighted most cryptographic systems are. Death is inevitable and yet ignored in almost every consumer product. Users have to violate best practices by writing down usernames and passwords or giving others access to their critical data. In many cases, this breaks the terms of the services they are using.

Enterprise systems often have the same problem. Powerful root accounts need to be shared between a few trusted individuals. There are cryptographic solutions to this problem, such as secret sharing, but they are often not implemented.

These are the symptoms of a cyber industry that relegates "far away" problems to a later software release (which never arrives). In my experience, many systems don’t even support key rotation.

I’m not sure how we can fix this systemic issue. But I suspect it involves better cryptographic education for the next generation. More emphasis needs to be given to the lifecycle of cryptography, and the techniques we have available to handle the inevitable changes in business and life.

Take a Long Hard Look in the Mirror

Amid the flurry of reactions to the NIST announcements, something critical is being ignored.

When NIST publishes its advice and standards, it sets the **low bar** for acceptable practice. Their job is to find a pragmatic path forward, which inevitably aligns with the lowest common denominator.

There's no perfect answer to balancing the need for stronger keys with the migration to quantum-safe algorithms. However, while I still question if the decisions made were optimal, I’m expecting cyber practitioners are already taking action.

If you still use 2048-bit RSA keys in 2024 and don’t have a near-term plan to lengthen them, you are negligent.

If you wait until the last possible NIST-approved date before you retire algorithms, then you’re a cryptographic jackass.

If the idea of more than one cryptographic migration in 10 years gives you cold sweats, you need to build more agile systems.

In short, we should stop bashing NIST for their necessarily one-size-fits-all crypto advice. Instead, we need to be deeply critical of a cyber industry that still hasn’t finished its SHA-1 migration.

Time to step it up, folks!

On the Convergence of Certificates and Mayflies

Is the world ready for shorter certificate lifespans? The answer isn’t clear, but we may be heading in that direction regardless.

Many of my posts focus on the post-quantum migration, where NIST will struggle to enforce its migration timeline outside federal agencies. The world of certificates, however, is quite different.

A small group of gatekeepers set the rules, and tech companies with massive user bases can make unliteral decisions. Google has been shaking things up since 2023 when it suggested certificate lifespans should be reduced from 398 days to 90 days. Apple recently proposed to halve that again, demanding 45-day validity periods by 2027.

Shortening certificate lifespans does come with potential security benefits. Attackers would have a smaller window to abuse compromised keys, plus it will trigger the adoption of automated certificate management tools. This is seen as a positive move – carefully managed certificates leave less room for errors and outages.

But the downsides are also significant. Organizations seem ill-prepared for this shift, and smaller enterprises won’t relish the investment in automation tools. Inevitably, certificate expiries will increase, which may lead to users routinely ignoring warnings.

Ultimately, the power rests with big tech companies. With one button press, Google can instruct Chrome to stop trusting long-lifespan certificates. We must hope they wield this privilege carefully and with forethought.

Whatever happens next, this will be a fascinating sector to watch.