Tim Callan Podcast Transcript
Tim Callan joins host Brian Thomas on The Digital Executive Podcast.
Brian Thomas: Welcome to Coruzant Technologies, home of The Digital Executive podcast.
Do you work in emerging tech, working on something innovative? Maybe an entrepreneur? Apply to be a guest at www.coruzant.com/brand.
Welcome to The Digital Executive. Today’s guest is Tim Callen. Tim Callen has more than 20 years of experience in the S-S-L-P-K-I technology spaces where it’s become a respected figure shaping the standards and practices that govern digital trust.
At Sectigo, Tim is the Chief Experience Officer where he leads the company’s conformance with industry and regulatory requirements, including browser root programs, web trust compliance, and the certificate authority browser form. And other critical governance bodies. His leadership has been instrumental in driving initiatives that deliver greater certificate of agility, automation, and reliability to enterprises worldwide.
Brian Thomas: Well, good afternoon, Tim. Welcome to the show.
Tim Callan: Thank you, Brian. I’m happy to be here.
Brian Thomas: Awesome. I appreciate it my friend. I know you’re in South Bend, Indiana and I’m in Kansas City. We are starting to experience that cool weather coming in. As I do know, I’ve been to Indianapolis quite a bit, Indiana, so I know it gets cold.
Tim Callan: So yeah, it came, came very suddenly a week ago. It was lovely. And today, not so much.
Brian Thomas: Yep. October was nice, but that’s as quickly as exited. So Tim, I’m gonna jump into your first question. You spent over 20 years work. In the S-S-L-P-K-I space, and we’re a founding member of the Certificate Authority browser forum that you’re now the vice chair.
How did you first become interested in digital certificates and trust infrastructure, and what pivotal moment convinced you that this would be your niche?
Tim Callan: Well, you know, I followed it all the way from really the inception of SSL back in 1995. When the worldwide web blew up and it quickly became clear that we needed a way to know that we were connecting to the entity online that we thought we were, and that this is really my bank or this is really the online retailer, I think.
And one of the things that happened in, in a few intervening years, as you know, as I was in other spaces, is it be became clear that. This is foundational to everything we’re going to do digitally. And it really is like without this concept of digital identity and PKI, we can’t do anything. We wouldn’t be back to pen and paper.
This podcast wouldn’t be happening. Our phones wouldn’t work. Our financial systems wouldn’t work. Retail wouldn’t work. Logistics wouldn’t work. It all would fall apart. And it’s such a basic and important thing that is so invisible to so many people and. I loved the idea of helping make that stronger and better and really committed my career to that.
Brian Thomas: That’s awesome. I appreciate that. And like you, I jumped into the worldwide web in its inception and was very excited about some of that stuff, but I’m glad that you focused in this area. Again, like you mentioned, a lot of things wouldn’t happen without some of this. Technology security is obviously a paramount nowadays as well, so I appreciate you being a pioneer in that space.
And Tim, one of the biggest shifts you talk about is the move to much shorter certificate lifespans. For example, 47 day SSL. TLS. Certificates, the need for automation across insurance renewal management. What are the biggest practical challenges enterprises face when adopting these challenges and how should they prepare?
Tim Callan: Yeah, so certificate lifespans have been getting shorter and are continuing to do so. Once upon a time, you could get a. Five or 10 year server certificate. Now it’s down to one year, and starting in March of 2026, it’s gonna be down to six months. And then over the next few years, it’s gonna step down to a monthly renewal cadence.
And there’s good reasons for this because shorter certificates are more secure. Let’s say that something happens. Let’s say that you have a compromised private key, or maybe someone gets a, uh, certificate to use with some domain hijacking attack. A shorter lifespan cert just gives them a you a lower risk window them a lower period of time to exploit you and run their attacks.
And so shortening certificate lifespans is broadly understood to be a smart security decision. But it does pose challenges for us because where we used to do things manually. If I had to touch it once every three years or two years, or once a year, a manual process might be fine. Tracking with a spreadsheet might be fine, but imagine that you’re doing these things now on a monthly basis, and the consequence of the certificate not being renewed is bad.
They stopped working. Right. And so we need to really focus on automation, on putting systems in place that are going to help us run these things automatically, just as a matter of business without a human being have to do a thing. And to do that, what we need to do as IT professionals, I think, is we need to be socializing this need internally, right?
So that our own. Groups who decide on roadmap and priorities and budget considerations and things understand that this is coming and that if we don’t automate, there are gonna be bad impacts.
Brian Thomas: Thank you. I appreciate you breaking that out for our audience today. I did read a lot about these certificates becoming shorter and shorter, but you did highlight a couple things where just in March, coming up here next year, uh, we’re gonna be moving those certificates too every six months, and then as time moves on, it’s gonna get shorter and shorter.
I agree. I used to do a lot of this certificate renewal back in the day. In my younger days. And yeah, it was, it was easy to kind of maintain that every two or three years, but we definitely need to get. Moving to adopt this stuff. I think it’s important. Obviously we’re gonna have to streamline and automate the frequency that these certificates renew, so I appreciate that.
And Tim, I know Tigo recently put out a report called the State of Crypto Agility. Can you tell me about that report and what the key takeaways were? Were there any prices there?
Tim Callan: Yes. So this report, we really tried to focus on two things. One of ’em was this reduction to shoulder certificate lifespans, which you and I have just been discussing and what that means to enterprises.
We absolutely had some takeaways there. Also connected to that though, while we have that audience’s attention, we wanted to find out about their preparedness and their plans for post quantum cryptography, which is the new cryptographic standards that we’re gonna have to use move to so that quantum computers can’t ultimately break our cryptography, which is a thing they will do to the cryptography that we’re using today.
And so, what were some of the takeaways? I think the biggest takeaway was that the shortening certificate lifespans are going to be challenging for enterprises. For example, 96% of organizations express concern about the impact that shorter certificates are gonna have on their organizations. Which is huge.
Less than one in five say that they’re very prepared to support the coming shift of 47 days. So, there’s a lot of need being identified there. And on the Pqc side, it’s. It’s almost kind of the opposite. Only 15% of organizations feel extremely confident in their ability to integrate PQC without a major disruption.
So, we’ve got a concern going on there too. And the two of them are connected. But the good news on the PQC side is that 90% of organizations have increasing budget allocation coming so. So organizations I think are galvanized to understand that they need to. Prepare for new kinds of cryptographic algorithms and connected to that.
We’re hoping they realize that this is a good time to also prepare for shoulder certificates because really the two initiatives are very related and in a lot of ways you can kill both birds with a single stone.
Brian Thomas: Thank you. I appreciate that. And yeah, there’s been a lot of interest, especially you probably saw recently, Google’s quantum chip just broke.
Crazy record. They, they achieve quantum supremacy, which is pretty wild. But I agree with you, we need to, for post quantum cryptography, we need to be in the trenches now making sure that we are ready for this. But shortening the certificate lifespan is certainly a challenge for a lot of organizations, and you did highlight some of that, so I appreciate.
Your, your insights. And Tim, the last question of the day, if you look ahead five or 10 years, how do you envision the certificate and trust ecosystem evolving, and how do you foresee a world where certificates are largely invisible, where trust is delegated differently or maybe where ecosystems like IOT require new models of identity?
Tim Callan: Yeah, I, it’s interesting, I think identity. Is a, a youthful word in practice, it means a lot of things. So for instance, if I sign a contract digitally, there’s an identity associated with that. That’s a different thing in a lot of ways than me saying that when I connect to my bank, I wanna know that it’s really my bank that’s also has identity, but the identity of that website and the identity of me as a signer has some different qualities about them.
And so some things are going on like a broad, broad. Citizen, electronic digital identity is just a matter of time. So the European Union has already passed legislation that every European citizen in the next few years will have access to a digital wallet that will include an an identity. There’s similar things going on in the US with in certain states where you can basically get an electronic driver’s license on your phone.
That’s another example of a digital identity. So these are going to move into the mainstream for us at the same time. Digital process and entity everywhere needs to have an identity associated with it. So the stuff we do today where all our servers and all our systems all have to have digital identities.
When I use, if I use a content acceleration network, or if I use a hyperscaler, or if I use a hosting provider, even though I don’t do it, there has to be digital identities associated with. All those servers are at all doesn’t work. So you’re right, it does become less visible perhaps in a lot of ways because my CDN is, is handling it for me, not me.
Right. But on the other hand, it also is becoming much more visible in terms of things like we as people will be, I’m gonna have a digital certificate on our phone that will identify us. And the the important thing I think is that the technical professionals who do this need to. Do their jobs correctly.
And there’s no need for every individual citizen to be able to understand how this works. Technically, they just can’t, but they need to be able to rely on it, and that means that people in the business, like you and me and our listeners, need to be educated and they need to get the stuff right.
Brian Thomas: Thank you. I appreciate you unpacking that. I know identity is key and, as you mentioned, each has unique qualities about it, but you did highlight digital identity is coming to everything everywhere. Yeah, you mentioned a few examples, including a digital ID, for example, and I think that’s great. It’s gonna streamline a lot of things.
It’s gonna protect a lot of things. However, from my standpoint here, it’s key that privacy and individuality is, has kept, I don’t know how they’re gonna do that because, there’s a big push for this and as humans have been known to be a bit biased and corrupt over the centuries, so you gotta keep that.
Tim Callan: Absolutely. And there’s the opportunity. For things like PKI technically to provide a lot of those protections. That’s one of the great things about it. For instance, if we make encryption correct, then it doesn’t matter about the intent of anybody on any side because they simply can’t break the encryption whether they want to or not.
There certainly are threats that come against that from things like some governments around the world who wanna install back doors. I believe that those things would be very detrimental to our overall security and our privacy, and I believe we should resist those ideas. The cryptography and the PKI implemented correctly really is unassailable as long as we make it that way.
Brian Thomas: Thank you. Really appreciate that. And Tim, it was such a pleasure having you on today, and I look forward to speaking with you real soon.
Tim Callan: Thank you so much, Brian. This has been a pleasure.
Brian Thomas: Bye for now.
Tim Callan Podcast Transcript. Listen to the audio on the guest’s Podcast Page.
