Cryptography & Security Newsletter

Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.

NIST recently published NIST IR 8547, a report that outlines the proposed transition to post-quantum cryptography. In a nutshell, we have up to ten years to migrate all or most of the world’s cryptographic systems. Technically, NIST can’t tell the whole world what to do, but it’s been leading the way with good work, and it makes sense for everyone to synchronise their efforts.

In truth, no one knows if ten years will be sufficient. There are some use cases where time is of the essence. Anything that’s subject to “store now, decrypt later” attacks has to be dealt with quickly. TLS falls under that, and that part of the transition is well under way. When it comes to real-time authentication, that can wait until later. In the middle, we have cases with IoT devices that cannot be easily updated and those with documents that need to be stored encrypted and kept safe for longer periods of time.

This is a lovely report to read if you haven’t been paying a lot of attention to this problem, and possibly even if you have. Across about twenty pages of text, NIST presents a clear plan, giving an overview of the types of cryptography, what’s vulnerable and what’s not, and how we should go about fixing the problem. We’ll need many more documents, but this is a good start.

Apple Tweaks Certificate Lifetime Proposal

You may recall from our edition from last month that Apple is working on a proposal to reduce the maximum certificate lifetime to forty-five days: quite a bombshell. The proposal is still on the cards, although it’s been tweaked slightly. In the latest version, the first milestone will be in March 2026, when certificates will be limited to two hundred days. One year after that, it will be one hundred days, and in March 2028 that will be reduced to forty-seven days.

Over at the CA/Browser Forum, discussions are now ongoing (check out the November 2024 minutes for the details). At this time, the main conversation seems to be on deciding how to handle the public feedback, something that may not have been necessary in the past—most proposals don't really affect end users.

In terms of justification, a paper measuring stale certificates in the wild from Zane Ma et al. is often mentioned. It's an interesting read, but nothing in it seems a big-enough problem to require an urgent decision. In any case, the proposed reduction of the lifetimes will take about four years, so we have enough time to have a good discussion about it.

Let’s Encrypt Started Ten Years Ago

Let’s Encrypt announced its existence and plans in a blog post published on November 18, 2014, almost exactly ten years ago. Although the company is on the record as wanting to instead celebrate ten years from the moment it opened its doors to the public, we shouldn’t waste any opportunities to celebrate how much Let’s Encrypt has accomplished. Not only are certificates largely free today, but without Let’s Encrypt, we wouldn’t be anywhere close to ubiquitous issuance automation. Well done.

There'll Be Some Changes Made

Guess who’s also ten years old? When I wrote the first newsletter in October 2014, I didn’t really expect that we’d still be going strong ten years later. But we kept at it, month after month, and years flew by. Somewhat fittingly, by the end of 2024, we will have published 120 newsletters across a decade. Last month, as we quietly celebrated our ten-year milestone, we decided that it was time for a reset, but we don’t yet know what that means. Don’t mind us if, in the following months, we experiment with the format to see what suits us best.

What are we thinking? First, we might switch to a less regular schedule in which we send newsletters when there are things we have to say (but no more than weekly). We’ve often felt constrained by the fact that we’re publishing monthly. This meant that we couldn’t write about things as they were happening. By the time our newsletter went out, some things would become old news.

The other factor is about the short news segment. We’re not sure there’s enough value to justify spending a lot of time manually collecting these news items every month. We don’t want to give up on them completely, but might look into automating how they’re collected and distributed.

Finally, we’ve been worried that we’re focusing on a topic that’s too small and that a successful newsletter needs a wider audience. We’ll be considering expanding our coverage to cover a wider range of security topics.

There'll Be Some Changes Made is a song by Chet Atkins and Mark Knopfler from their joint work Neck and Neck. The song is a gem that makes me laugh every time, and the entire album is wonderful.