2025-10-09 –, Belvedere I/ Security, Compliance & the Law
The European Union post quantum roadmap argues for the transition to PQC with the Store Now, Decrypt Later threat. They also argue for the security of the critical infrastructure. The PQC debate centers around the SNDL threat model, which may shadow the debate on the critical identification infrastructure.
The authenticity of the identities stored on EID cards and biometric passports depends on digital signatures. A validity period of ten years of the cards and passports brings us to 2035 when we should already be quantum safe. The non-repudiation of the signatures is an essential security objective for the identification. A single forged signature could put in jeopardy the entire digital identification infrastructure.
The EU CRA, for example, mandates the developers to commit to the maintenance of products. That typically requires software upgrades to be issued to the products, and the upgrades to be digitally signed. The PQC Transition requires the backend to be upgraded, and potentially the agile crypto solutions implemented in the products. That mandates a rethink of the life-cycle models of the products, and of the development and production processes.
The talk will explore the PQC transition from the critical identification infrastructure point of view, tracing it to the EU E-Sign Workshop in 1999 and the evolution of the use of digital signatures in the public and private sector identification infrastructures. The presentation shall be solution centric despite the once in a lifetime frightening opportunity.
The European Union has published an ambitious post quantum roadmap. Fashionably, they argue for the transition to PQC with the Store Now, Decrypt Later threat. Refreshingly, they also argue for the security of the critical infrastructure. The PQC debate centres around the SNDL threat model, and there is a risk that it shadows the debate on the critical identification infrastructure.
The authenticity of the identities stored on EID cards and biometric passports depends on digital signatures. The cards and passports should be valid for ten years. That brings us to 2035 when we should already be quantum safe. Already in 1999, non-repudiation of the signatures was an essential security objective for the EU PKI cards. A single forged signature could put in jeopardy the entire digital identification infrastructure.
The EU CRA, for example, mandates the developers to commit to the maintenance of products brought to the market in the EU. That typically requires software upgrades to be issued to the products, and the upgrades to be digitally signed. The PQC Transition requires the backend infrastructure to be upgraded, and potentially various agile crypto solutions implemented in the products. That mandates a rethink of the life-cycle models of the products, and of the development and production processes.
The talk will explore the PQC transition from the critical identification infrastructure point of view, tracing it to the EU E-Sign Workshop in 1999 and the evolution of the use of digital signatures in the public and private sector people and component identification infrastructure since. The presentation shall be solution centric despite the once in a lifetime frightening opportunity.
