What's Up with Tech?

From PKI To Post-Quantum: Building Digital Trust That Scales

Evan Kirstel

Share episode

Interested in being a guest? Email us at admin@evankirstel.com

The lock icon is not a comfort blanket. It’s a contract. We sit down with Chris Hickman, Chief Security Officer at Keyfactor, to unpack what digital trust really means when every person, device, app, and service needs a verifiable identity. From the browser to the factory floor, PKI and certificate management quietly power secure connections, and when they fail, the business feels it fast. Chris pulls back the curtain on the policies, processes, and automation that keep identities reliable at scale—and why “crypto agility” is no longer a buzzword but a survival trait.

Quantum is no longer a sci‑fi subplot; it’s a timeline. With NIST guiding the retirement of RSA and ECC by 2030–2035 and global regulators aligning, organizations face an infrastructure‑level migration. Chris lays out a practical path: start with a full cryptographic inventory, assess risk to long‑lived data vulnerable to harvest‑now‑decrypt‑later attacks, standardize on TLS 1.3, and pressure vendors for post‑quantum roadmaps. We also tackle an accelerating reality: publicly trusted certificates shrinking toward 47‑day validity. Without automation, renewal cycles explode, toil multiplies, and outages become inevitable—making the ROI for certificate lifecycle management crystal clear.

Regulation and sovereignty add another layer. We cover DORA in the EU, evolving PCI requirements, and regional flavors of cryptographic standards that challenge compatibility. Then we look ahead to agentic AI, where identity at machine speed pushes PKI to new limits. The takeaway is simple: strong foundations—inventory, governance, and automated issuance and renewal—enable resilience, while brittle manual processes crack under pressure. If you lead security, architecture, or compliance, this conversation gives you a blueprint to build trust that lasts through quantum shifts, regulatory change, and AI scale.

Enjoyed the conversation? Follow the show, share it with a colleague who owns identity or crypto, and leave a quick review so others can discover it.

Support the show

More at https://linktr.ee/EvanKirstel

SPEAKER_00:

Hey everybody, fascinating discussion today as we talk about digital trust and cryptographic security done right with an innovator in the field at Key Factor. Chris, how are you? I am very well, thank you. Yourself. Uh doing great. Thanks so much for joining. Really intrigued for this discussion. Uh before that, maybe introduce yourself, uh, your background, and what's the big idea at Key Factor?

SPEAKER_01:

Yeah, so Chris Hickman, uh Chief Security Officer at Key Factor. Uh Key Factor is an organization that helps uh uh our customers uh ultimately establish and manage digital trust at scale. Uh, our uh our our view of the world is everything is connected and everything needs uh an identity, and that identity should be cryptographically derived. And uh in order to accomplish good identity and good security uh across all of these many use cases uh at play, uh those identities need to be managed and uh and and organizations need to become ultimately very agile around how they uh manage those uh those uh cryptographic assets.

SPEAKER_00:

Yeah, indeed. And you know, trust is all the news these days, digital trust as well, but beyond the buzzwords, what does digital trust really mean to you and the team at Key Factor?

SPEAKER_01:

Well, it means um uh establishing um uh uh uh a unique identity for everything in your organization that's connected. Uh you know, I I come from the uh background we were just uh talking a little bit prior to starting about some of our uh our our adventures where our paths may have crossed. And uh I started in the uh world of PKI back 20 some years ago. Uh I hate to I hate to finish the sum part. Um, but uh yeah, it uh you know to me, the world uh is uh protected today with all of our online transactions using digital certificates. Digital certificates are a form of identity that have been proven at scale and time and time again. Uh yeah, it uh to me has always been around being able to get that digital certificate to a device, to an application, to a person, to a machine, uh, and then being able to uh to uniquely identify that uh as it sort of goes through the operations it does, and ultimately to provide you know security within the channel too, over things like uh TLS and and other protocols that are there designed to uh to secure communications.

SPEAKER_00:

Indeed. And so PKI and certificate management uh you know, super fundamental. As geeks, we kind of talk about them and they touch everything. But how do you explain the world real world importance significance to business leaders who may not be steeped in PKI?

SPEAKER_01:

Yeah, it it really is about uh uh having trust uh ultimately of what's talking to what and having trust that those uh communications remain confidential. Um, you know, be that uh in in a in a in a an application, for instance, where you know somebody's coming to your website and placing an order and the little lock pops up in the browser, uh that's PKI at work, uh over cross of uh top of uh TLS. Uh inside your organization, it's how your machines uh connect to your Wi-Fi securely. Um, you know, how machines know which machines to be able to talk to. Uh, you know, all of that is part of that same uh trust infrastructure and understanding what should be allowed to talk to what. Um, you know, so if somebody brings in a device that's not authorized on the network, how do you prevent that from uh communicating? Again, PKI is a large part of that backbone uh that we sort of use every day, but don't necessarily actually realize that it's being used every day.

SPEAKER_00:

Indeed. And we're on the cusp of a quantum computing, quantum networking revolution. Yep. And uh super exciting, but also threats in quantum are coming fast. How do you think about preparing, you know, cryptographic infrastructure for this tsunami that we're facing?

SPEAKER_01:

I'm glad you use the term tsunami because it's one that I've personally used a few times. Um yeah, I'm organizations that uh have not started planning are really behind uh at this juncture. Uh, you know, NIST has recommended that RSA and ECC, which are the two prevailing uh uh algorithms that we use um um, you know, uh underlying, uh, be phased out by 2030, 2035, and a couple of exception cases. Uh you know, there's been a lot of uh legislation across the globe uh where different geographic regions, you know, APAC, uh Australia recently released their uh their their guidance, Canada, so on and so forth, who are all sort of moving towards that 2030 uh target. Um, you know, but in order to undertake such a massive change in cryptography, because if we think about cryptography, it's not just replacing a digital certificate or replacing um, you know, my my phone. Um, you know, this is not a hardware upgrade, it's not a software upgrade, it's an entire infrastructure change. So uh, you know, things like cryptographic libraries, uh so on and so forth, all need to change, and it all needs to be done sort of in a seamless way. And it really starts with uh organizations just being able to figure out what they've got. So cryptographic inventory, uh being able to see how big the problem is, and I can guarantee you, you know, the analogy I use is uh is a spotlight uh or a flashlight versus turning on the lights in the room, right? Um yeah, we tend to look for things with a flashlight a lot of the times, but in this particular case, we've got to turn on the lights and realize that there's a lot of cryptography in our organization, see it all, realize it's probably a little bit messy, and then start taking a risk-based approach to how I can do that migration to post-quantum cryptography because not doing it is not an option.

SPEAKER_00:

Oh, really well said. And looking at the key factor website, you talk a lot about crypto agility, a big focus of yours. Uh, what does that look like in action beyond the marketing uh hype?

SPEAKER_01:

Well, it's actually uh interesting because uh NIST is actually working on a paper to better define that right now. And they've got a couple of drafts out that are well worth uh uh giving a read to. But you know, at its uh at its fundamental uh level, it's really about organizations being able to be agile with cryptographic assets. Uh, you know, traditionally uh a lot of cryptography comes into the organization. You know, we sort of treat it like a checkbox on an RFP, right? Uh do you support this? Yes, no, move on, file it, you know, in seven years, shred it. But but we've never taken inventory of where all this stuff is inside of our organization. So it's it's not only the ability to see it, but then the ability to manage it downstream. And as NIST begins to uh uh look at uh what that really means in an organization, some of their guidance is very practical, like you know, find it, swap out your cryptographic libraries, you're gonna need to be at TLS 1.3 in order to do post-quantum, so on and so forth. Uh, that's all very practical advice and very executable. They're also looking at it sort of more from a visionary standpoint, too, which is how do we take crypto uh cryptography to an abstraction layer, right? How do we uh get it out of all of our binaries and executables and embed it everywhere and sort of bring that into a more manageable, seamless layer at the top, um, where things just point to that to do crypto. Um, you know, and ultimately that is the vision for agility, but uh but a lot of that is not uh available today. Uh yeah, we're still sort of stuck just trying to figure out how to move uh Lego bits around in order to build a slightly new crypto uh landscape.

SPEAKER_00:

Lego is a great analogy. And you know, speaking of Lego, my kids used to have Lego sprawled around the floor everywhere, and you know, you'd step on it and it would hurt tremendously. I think most companies don't realize how messy certificate sprawl is as well until something breaks, until you step on your Lego. Um so how do you how do you clean this up? How do you get ahead of that?

SPEAKER_01:

Well, like I said, first thing is just to turn on the lights and see the Lego on the floor. Um that analogy. Um, make sure you you you you you don't step on it, but pick it up. Um, you know, it's it's it's about reshaping how different protocols are going to be used. So NIST is standardized on a set of post-quantum protocols now. Uh the guidance is out to replace them. Organizations uh need to be doing things from a couple different angles. I've already talked about the inventory and and uh and that piece, which is absolutely uh important. But they then need to assess risk against uh technology. Uh in the post-quantum world, there's this notion of harvest now, decrypt later or steel now decrypt later. Uh it's a very real thing where organizations are having their data stolen, even though it's encrypted uh for decryption later. Tends to be longer-term data, tends to have high value. Um, you know, think in terms of customer records, IP, things of the sort. Um, yeah, the the the so-called keys to the kingdom uh for a lot of businesses, um, you know, assess what the risk is of having that stolen today. If that were to leave your organization, what would the impact be? Maybe those are the things you need to start to protect first, because you can't do everything all at once. And then move on from there and sort of move through that bit risk-based uh uh layer and then continuously monitor to make sure new stuff is not coming into your environment. And you know, my practical advice for organizations too, if you're not in your procurement cycle now, asking your vendors what their post-quantum plans are, think in terms of the fact that you know some of the things that you're buying today may need to be post-quantum ready prior to 2030, and you may be buying an asset that's uh gonna have a much shorter shelf life than you realize. So, really engage with your vendor ecosystem to make sure that all your vendors are on the same page and looking at how to adopt those standards and what their timelines are so that you can have visibility into how to make that transition.

SPEAKER_00:

Very cool. So, this is the year of resilience and managing risk, it seems. Um, what's the hardest part of securing identities, not just for people, but when you have these machines and and you know millions of them?

SPEAKER_01:

Um, you know, it's uh um it's not a technology problem. In a lot of cases, it's a policy and process problem. I mean, the technology is there, it's proven at scale, it's about to get tested again as we see things like agentic AI come onto the uh radar for a lot of organizations, um, you know, which will push scale in a way that a lot of traditional non-PKI uh identity uh um uh uh solutions will struggle to keep up. Um, but you know, it's it's really one of making sure that you've got the right foundation, right? This is this is this is basic construction, right? You you need a good solid foundation upon which to build. And you know, security is obviously an important part of that foundation, and PKI is one of the foundational building blocks to good security, both in enterprise and also in product. So, you know, it transcends uh not just you know, this is not just an enterprise use case. There's an IoT uh uh component to this. If you're building a product that's gonna have a 20-year life and has security built in, same fundamentals of priority around being meaning to be uh agile, being uh able to understand what the cryptography is, and then being able to manage that uh accordingly. Um so it really does transcend all verticals, all solution sets.

SPEAKER_00:

Yeah, when I think about the number of devices with IP uh identities that I have just on my body, my my smart glasses from Ray Ban, my Aura ring, my phone. Um, you know, it's on and on. So it's it's it's really life impacting as well. Um, you you you must have so many stories, anecdotes around when certificate or key issues became a real lesson learned in the real world, probably most of which you can't really talk about, but any anecdotes you can share?

SPEAKER_01:

Yeah, I I will point back to a few. Um we still in the PKI world tend to miss the simple things. Um if we were really as a uh you know as a collective body good at managing certificates, uh, you know, there would never be a headline that says, you know, Microsoft Teams went down to it or certificate outage or uh you know uh Starlink uh went down uh because a cert expired in a ground station. And the reason I like to sort of call those out is because you know, if you've got infinite wealth and infinite resources and you're still not paying attention to the little things that can impact your business that way, what are other people supposed to do that may not have uh access to those resources the same way? Well, there are answers and there are solutions. It's just to your point earlier, you know, how does uh how does the C-suite engage in a conversation while they don't until they're forced to because they're looking at other priorities? Uh, you know, business resilience uh and cryptographic resilience has to become and is thankfully starting to become one of those conversations that is starting to happen within those boardrooms, and we are starting to see that change take place. Uh post quantum is pushing uh some of that uh today, where you know there's new risks that that boards, for instance, are having to look at, and they do come down to that cryptographic layer.

SPEAKER_00:

Yeah, great point. Speaking of which, uh you deal with boards, you you talk to board members, uh, everyone's focused on the bottom line and kind of pinching pennies. Uh how do you make the case for investing in PKI and trust infrastructure when the ROI isn't always visible? It's like plumbing. You know, you don't really invest in your plumbing until the pipes burst. Uh exactly.

SPEAKER_01:

You're 100% uh correct. That you know, but we are absolutely so there's a couple things happening in the industry that are really pushing the conversation. We've talked about post-quantum uh as an example. We haven't really talked about the fact that you know publicly rooted certificates, the CAB forum voted to move those down to 47-day renewals from the current 398 days. Uh, a few years ago, that was five years. So uh, you know, if you look at what the additional cost is of just trying to manage those without automation and good certificate lifecycle management as an example, um, you know, your your costs are going exponentially higher. They're going 12x uh from what they currently are today. And that 12x is all in people running around having to do manual things with certificates, which does not scale. Uh, and you're introducing 12 times the number of mistakes that could be made deploying those, right? So uh there is a conversation to be had around ROI. There is a conversation to be had around operational efficiency and you know the invisibility uh that that organization should have to understand what it is it's running. Because at the end of the day, a single certificate goes down, it takes out something like Teams or Starlink or you know, your organization might be your Wi-Fi, uh might be your web services, might be your your mobile apps, uh things of the sort. So there is a huge impact to uh to making sure that there is operational efficiency built into the framework around these uh digital certificates.

SPEAKER_00:

Great point. The other thing that's constantly involving is are regulations around data and encryption uh per country, per U.S. state, even, for example, California versus Massachusetts. Uh what's keeping you or CSOs in general upright now around that and compliance?

SPEAKER_01:

Yeah, we're we're definitely seeing um a much higher standard for compliance. Uh yeah, we're global business. Um yeah, we see it, for instance, with uh Dora in the EU. Uh we're seeing some very strong initiatives out of Asia Pack. Um, we're seeing some fragmentation as well. Um, you know, again, around post-quantum where um, you know, organizations are setting the bar or countries are setting a bar. Uh there is, you know, this sort of notion of cryptographic sovereignty that's starting to come into play and things of the sort with some of the new standards. Yes, we're going to support, you know, library A, B, C, but our own flavor of it, you know, how does that all work from a compatibility standpoint? All of that still needs to be sort of flushed out uh in that post-quantum uh migration. But we are starting to, yeah, uh countries are paying attention to cryptography in a way that they haven't traditionally, and we're starting to see a trend towards uh stronger regulation uh both from government and from industry. So we see, for instance, in uh in things like PCI, uh the new requirements have a piece around being able to manage your cryptography, and that will only become more and more complex. You know, and then auditors are picking up on these things, of course, and uh yeah, the auditors are saying, hey, I need to know more about this. You do you have visibility into what you're really doing and help me understand how you would respond to an incident in this space so I can give you the appropriate checkboxes? So it is sort of an evolutionary process that's happening.

SPEAKER_00:

Yeah, it sounds like it. So just uh uh wrap it up looking ahead, where do you see the biggest shift coming in how organizations build and maintain trust uh in the digital world over the next couple, three, five years? Do you see uh a world of autonomous networks and networking that might help uh alleve some of the burden here?

SPEAKER_01:

So I do, but I think uh yeah, uh you leave a burden in one place and you perhaps load it in another. Um I do think that uh gentic AI is gonna be highly impactful uh in this space. Um, you know, interestingly enough, agentic AI is just another use case for PKI. Um, you know, it it you we already know how to do the scale that agentic AI is going to require. The protocols already exist for things like service mesh and um you know things of the sort to be able to do the issuance and you know uh all of that thing that needs to happen, right? It's uh you know, if we think about the scope of agentic AI, it's it's you know it's the equivalent of it onboarding 10,000 employees dynamically simultaneously, perhaps, right? Um, yeah, the the technology exists to do that and is proven. I really do think that that is going to start to push the boundaries uh of organizations' resilience as it relates to PKI. And those foundations that are built well will withstand that shift. Those foundations that are not built well will crumble under the weight of trying to adopt uh agentic AI as an identity source and a security uh backbone uh you know to serve the business needs, whatever they want to deploy agents for.

SPEAKER_00:

Fascinating. Well, thanks so much for all the insight and updates and uh continue the important work onwards and upwards. Thank you so much for having me uh be your guest today. Thanks, Chris, and thanks everyone for listening, watching, sharing this episode. And be sure to check out our new TV show, techimpact.tv, now on Bloomberg TV and Fox Business. Thanks, Chris. Thanks, everyone. Thank you.