Digital identity, a sector far from boring
When I started working in the field of digital identity more than ten years ago, it was often described as a mature, stable, even somewhat static sector. Today, it is clear how limited that perception was. Trust management is in fact undergoing a phase of profound evolution, driven by technological, regulatory, and geopolitical changes that are redefining its fundamental assumptions.
If it is true that many of the protocols underlying digital identity are based on standards developed in the 1990s (such as the PKCS family) and that asymmetric cryptography was invented in the 1970s, the trust management sector is now in a phase of great dynamism. The importance of these technologies as the foundation of any cybersecurity system, the pervasiveness of the concept of digital identity, and the multiplier effect of these technologies on the economic and social growth of an entire country have certainly generated great interest and contributed to technological innovation processes that will affect the future of all of us.
The challenge of post-quantum cryptography: protecting today what will matter tomorrow
One of the most important topics emerging in discussions about the future of trust management is the transition to cryptographic schemes capable of resisting attacks from quantum computers. For those interested in exploring the topic further, at Namirial we have already discussed it in these two articles:
Towards Quantum-Safe Trust Services: the race against time to prevent the Quantum Meltdown
Training crypto-agility to win the giant slalom among Quantum threats
Now it is becoming clear to many that in the future we will face a significant problem, because the cryptographic technologies that protect us today may be inadequate tomorrow. But many of the documents and transactions protected today may also retain value tomorrow. For example, a contract preserves its value and effects for many years into the future, when quantum computers may be able to break the technologies currently used to certify the identity of the parties who signed the contract.
Why we cannot afford to wait
Even though the risk is not yet concrete, it is unthinkable to wait until it materializes, precisely because there is a gap of years between today, when information is protected, and tomorrow, when breaking it will be both technically possible and advantageous for a determined attacker. The major investments made by the world’s largest players in the field of quantum computing, often as part of national framework programs, suggest that this dynamic could materialize rapidly.
Interoperability and network effects: the complexity of the transition
If this is the problem, when we place it in the context of trust management we can highlight additional critical issues. Trust management systems work also because they present high levels of interoperability. A digital document signed by two parties remains understandable and verifiable by both (or by anyone else authorized), even if the signatures were issued through the services of two different qualified trust service providers, since both rely on standardized technologies. This is the so-called network effect, which can contribute to the spread of new technologies (the fax, in the early 1990s, was all the more useful the more your correspondents used it) but can also hinder it, as is the case with the post-quantum transition of trust management.
Indeed, if one market operator begins to provide services suited to the new threat, how will its customers benefit if that technological advancement is not interoperable?
Global roadmaps towards post-quantum
Also for these reasons, regulatory bodies at global level (such as NIST for the United States of America and the European Commission for Europe) have produced roadmaps for the post-quantum transition. Without going too much into detail, it is interesting to note that both documents substantially agree on two dates. The first is 2030, by which high-risk systems must be migrated to post-quantum cryptographic schemes, while the 2035 deadline concerns medium-security or legacy systems. We do not know whether they know something we do not; they certainly demonstrate the need to be prudent and proactive.
Four years from now – is that a long time or a short time? It is sufficient if the entire trust management ecosystem gets moving. It is necessary to act on numerous players in the value chain, of which trust service providers are only the most visible to the end user. Agreement is needed on cryptographic algorithms, standards and conformity tests, and this must be transferred into products and solutions that scale in a complex, dynamic and always-on context. We must move from a world in which the same cryptographic scheme (RSA) was used for everything to one in which different schemes will need to be used for different purposes. A world in which crypto-agility, that is, the ability to adapt a system or protocol to new cryptographic techniques, will have to be embedded in the design, and in which many widely used protocols today will need to be adapted.
Namirial’s strategic vision since 2020
So should we be worried? No, we should be attentive. Aware of technological and scientific developments, of the need for a long-term industrial strategy, and of the investments required to ensure service continuity and trust towards customers.
At Namirial, we began addressing these topics in 2020, so already six years ago. For me it was fascinating to be able to start thinking well in advance about the issue, when no one was talking about it, working on the strategic dimension of innovation. Our first cryptographer hired by the company dates back precisely to that period, due to the awareness we had — and that has always been supported by ownership and management — that one day we would need to know what to do.
We therefore involved cryptographers, cybersecurity researchers, security solution developers, centers of excellence and universities. We explored a sector that at the time was almost unknown, at times impervious, gathering information, conducting analyses and experiments. We developed research projects, participated in conferences, collected opinions and discussed internally. In this way, we were able to build significant expertise on the topic, which today we want to make available to our customers, but which must also contribute to the progress of the entire reference market.
Digital identity as a frontier of innovation
Today we are convinced that the post-quantum migration can be achieved, with commitment but also with confidence in the objectives, and that it will help define the technological foundation of the trust management sector in the coming years. We believe our customers can feel confident in a plan that is already showing its effects and that will move toward other ambitious goals in the future (which, however, we will reveal to you only in a few years).
In light of all this, the idea that the digital identity sector is not particularly exciting now seems more distant from reality than ever. For us at Namirial, it never has been.
