Summary5 min read

The Future of Digital Trust: Tim Callan on Certificates, Cryptography, and Identity

Podcast: The Digital Executive (Coruzant Technologies)
Episode: 1138
Date: November 2, 2025
Guest: Tim Callan, Chief Experience Officer, Sectigo
Host: Brian Thomas

Episode Overview

This insightful 10-minute episode explores the future of digital trust through the lens of certificates, cryptography, and digital identity. Tim Callan, a seasoned leader in PKI and SSL, discusses the increasing importance of digital certificates, the move to ever-shorter certificate lifespans, preparations for the post-quantum era, and the evolving landscape of digital identity—including what it means for organizations and everyday users. The conversation combines practical advice with high-level perspectives on managing trust and security in an increasingly digital world.

Key Discussion Points & Insights

1. Foundations of Digital Trust and Tim's Career Path

[01:25 - 02:54]

Tim was drawn to SSL and digital certificates at the inception of the World Wide Web, recognizing early that digital identity and PKI were becoming foundational for safe digital transactions.
The necessity for trust online—knowing you’re really communicating with your bank, retailer, or other entities—sparked his interest and eventually guided his career.
Tim emphasizes the invisibility but critical importance of digital trust:

"Without this concept of digital identity and PKI, we can't do anything. We would be back to pen and paper. This podcast wouldn't be happening. Our phones wouldn't work, our financial systems wouldn't work..." – Tim Callan [01:50]

2. Shortening Certificate Lifespans and the Move to Automation

[03:34 - 05:25]

Certificate lifespans have shrunk dramatically: from 5–10 years historically, to 1 year now, and soon to 6 months; industry is moving towards monthly renewals.
Security is enhanced with shorter certificates:

"Shorter certificates are more secure... a shorter lifespan cert just gives them you a lower risk window... to exploit you and run their attacks." – Tim Callan [03:54]
The operational impact is significant; manual processes are no longer sustainable at this cadence.
Enterprises must embrace automation to avoid outages and manage renewals seamlessly.
Tim encourages IT leaders to advocate internally and prepare budgets for necessary automation:

"...if we don't automate, there are going to be bad impacts." – Tim Callan [05:13]

3. Key Findings: State of Crypto Agility Report

[06:15 - 08:06]

Sectigo’s report examines both short certificate lifespans and organizational preparedness for post-quantum cryptography (PQC).
High concern about shortened certificate validity:

"96% of organizations express concern about the impact that shorter certificates are going to have on their organizations, which is huge." – Tim Callan [07:09]
Less than 20% of organizations feel "very prepared" to manage a 47-day certificate renewal cadence.
On PQC: only 15% feel "extremely confident" in integrating new cryptography without major disruption.
There’s positive movement—90% of organizations are increasing budgets for PQC readiness.
The move to solve both automation for short lifespans and PQC integration can be combined strategically:

"...the two initiatives are very related and in a lot of ways you can kill both birds... with a single stone." – Tim Callan [08:01]

4. The Future of Digital Trust: Identity, Invisibility, and IoT

[08:57 - 12:37]

Digital identity will soon be mainstream for all individuals and devices; the EU and US are both moving towards digital wallets and electronic IDs.
Every process and system will have a digital identity; users may not be involved in management, but will benefit from streamlined experiences.
Tim distinguishes between types of identities:

"The identity of that website and the identity of me as a signer have some different qualities about them." – Tim Callan [08:59]
Trust infrastructure might become “invisible” to users (handled by backend systems like CDNs), but underlying technical accuracy remains vital.
Education for technical professionals is crucial—the public need not know implementation details, but must be able to trust the system works.
Privacy concerns are significant; technical safeguards (like strong PKI and objecting to government-mandated backdoors) must be upheld:

"...if we make encryption correct, then it doesn't matter about the intent of anybody... they simply can't break the encryption whether they want to or not." – Tim Callan [11:55]
"Cryptography and the PKI implemented correctly really is unassailable as long as we make it that way." – Tim Callan [12:30]

Notable Quotes & Memorable Moments

On the critical invisibility of PKI:

"...it's such a basic and important thing that is so invisible to so many people. And I love the idea of helping make that stronger and better and really committed my career to that." – Tim Callan [02:32]
On organizational challenges and automation:

"...we need to really focus on automation, on putting systems in place that are going to help us run these things automatically, just as a matter of business without a human being have to do a thing." – Tim Callan [04:32]
On the interconnected nature of cryptographic modernization:

"...the two of them are connected. But the good news on the PQC side is that 90% of organizations have increasing budget allocation coming." – Tim Callan [07:51]
On the future ubiquity of digital identity:

"...every digital process and entity everywhere needs to have an identity associated with it." – Tim Callan [09:49]
On privacy versus government backdoors:

"There certainly are threats that come against that from things like some governments... who want to install back doors. I believe that those things would be very detrimental to our overall security and our privacy, and I believe we should resist those ideas." – Tim Callan [12:12]

Key Timestamps

[01:25] How Tim got into PKI, and why digital trust matters
[03:34] Challenges of shorter certificate lifespans and need for automation
[06:15] State of Crypto Agility report: survey findings and enterprise concerns
[08:57] How digital identity will shape the next decade
[11:50] Privacy, technical correctness, and the risks of government backdoors

Takeaways

Digital trust infrastructure underpins all digital systems—security, reliability, and privacy depend on it.
Enterprises must prepare for shorter certificate cycles and the coming wave of PQC, which requires both automation and cultural adaptation.
Digital identities will soon touch every individual and system, often invisibly, but require robust professional stewardship.
Ongoing vigilance against threats—technological and regulatory—is vital to preserve trust and privacy.

This episode is a concise yet comprehensive tour through the pressing changes in digital trust, offering both strategic and practical guidance for technology leaders and professionals.

Loading summary

Transcript20 lines

[00:00]
A
Foreign.
[00:09]
B
Welcome to Coruscant Technologies, home of the Digital Executive podcast. Do you work in emerging tech? Working on something innovative? Maybe an entrepreneur? Apply to be a guest at www.corazon.com brand welcome to the Digital Executive. Today's guest is Tim Callan. Tim Callan has more than 20 years of experience in the SSL PKI Tech Technology Spaces where has become a respected figure shaping the standards and practices that govern digital trust. At Setigo, Tim is the Chief Experience Officer where he leads the company's conformance with industry and regulatory requirements, including browser root programs, web trust compliance, the Certificate Authority, browser forum and other critical governance bodies. His leadership has been instrumental in driving initiatives that deliver greater certificate agility, automation and reliability to enterprises worldwide. Well, good afternoon, Tim. Welcome to the show.
[01:04]
A
Thank you, Brian. I'm happy to be here.
[01:06]
B
Awesome. I appreciate it, my friend. I know you're in South Bend, Indiana and I'm in Kansas City. We are starting to experience that cool weather coming in. As I do know. I've been to Indianapolis quite a bit Indiana, so I know it gets cold.
[01:20]
A
So yeah, it came very suddenly a week ago. It was lovely and today not so much.
[01:25]
B
Yep, October was nice, but that's just quickly has exited. So Tim, I'm gonna jump into your first question. You spent over 20 years working the SSL PKI space and were a founding member of the Certificate Authority Browser forum that you're now the Vice chair. How did you first become interested in digital certificates and trust infrastructure and what pivotal moment convinced you that this would be your niche?
[01:51]
A
Well, you know, I followed it all the way from really the inception of SSL back in 1995 when the world Wide web blew up. And it quickly became clear that we needed a way to know that we were connecting to the entity online that we thought we were, that this is really my bank or this is really the online retailer, I think. And one of the things that happened in a few intervening years, as you know, as I was in other spaces, is it became clear that this is foundational to everything we're going to do digitally. And it really is. Like without this concept of digital identity and pki, we can't do anything. We would be back to pen and paper. This podcast wouldn't be happening. Our phones wouldn't work, our financial systems wouldn't work, retail wouldn't work, logistics wouldn't work. It all would fall apart. And it's such a basic and important thing that is so invisible to so many people. And I love the idea of helping make that stronger and better and really committed my career to that.
[02:55]
B
That's awesome. I appreciate that. And like you, I jumped into the World Wide Web in its inception and was very excited about some of that stuff. But I'm glad that you focused in this area again. Like you mentioned, a lot of things wouldn't happen without some of this technology. Security is obviously paramount nowadays as well. So I appreciate you being a pioneer in that space. And Tim, one of the biggest shifts you talk about is the move to much shorter certificate lifespans. For example, 47 day SSL TLS certificates, the need for automation across insurance renewal management. What are the biggest practical challenges enterprises face when adopting these challenges and how should they prepare?
[03:35]
A
Yeah, so certificate lifespans have been getting shorter and are continuing to do so. Once upon a time you could get a five or ten year server certificate. Now it's down to one year and starting in March of 2026 it's going to be down to six months. And then over the next few years it's going to step down to a monthly renewal cadence. And there's good reasons for this because shorter certificates are more secure. Let's say that something happens. Let's say that you have a compromised private key or maybe someone gets a certificate to use with some domain hijacking attack. A shorter lifespan cert just gives them you a lower risk window them a lower period of time to exploit you and run their attacks. And so shortening certificate lifespans is broadly understood to be a smart security decision. But it does pose challenges for us because where we used to do things manually, if I had to touch it once every three years or two years or once a year, a manual process might be fine, tracking with a spreadsheet might be fine. But imagine that you're doing these things now on a monthly basis and the consequence of a certificate not being renewed is bad. They stop working. Right. And so we need to really focus on automation, on putting systems in place that are going to help us run these things automatically, just as a matter of business without a human being have to do a thing. And to do that, what we need to do as IT professionals, I think, is we need to be socializing this need internally. Right. So that our own groups who decide on roadmap and priorities and budget considerations and things understand that this is coming and that if we don't automate, there are going to be bad impacts.
[05:25]
B
Thank you. And I appreciate you breaking that out for our audience today. I did read a lot about these certificates becoming shorter and shorter, but you did highlight a couple Things where just in March, coming up here next year, we're going to be moving those certificates to every six months. And then as time moves on, it's going to get shorter and shorter. I agree. I used to do a lot of this certificate renewal back in the day in my younger days. And yeah, it was. It was easy to kind of maintain that every two or three years. But we definitely need to get moving to adopt this stuff. I think it's important. Obviously, we're going to have to streamline and automate the frequency that these certificates renew.
[06:04]
A
So.
[06:04]
B
I appreciate that. Yeah. And Tim, I know Satigo recently put out a report called the State of Crypto Agility. Can you tell me about that report and what the key takeaways were? Were there any surprises there?
[06:15]
A
Yes. So this report, we really tried to focus on two things. One of them was this reduction to shorter certificate lifespans, which you and I have just been discussing, and what that means to enterprises. We have. So that's some takeaways there. Also connected to that, though, while we had that audience's attention, we wanted to find out about their preparedness and their plans for post quantum cryptography, which is the new cryptographic standards that we're going to have to use, move to so that quantum computers can't ultimately break our cryptography, which is a thing they will do to the cryptography that we're using today. And so what were some of the takeaways? I think the biggest takeaway was that the shortening certificate lifespans are going to be challenging for enterprises. For example, 96% of organizations express concern about the impact that shorter certificates are going to have on their organizations, which is huge. Less than one in five say that they're very prepared to support the coming shift of 47 days. So there's a lot of need being identified there. And on the PQC side, it's almost kind of the opposite. Only 15% of organizations feel extremely confident in their ability to integrate PQC without a major disruption. So we've got a concern going on there too, and the two of them are connected. But the good news on the PQC side is that 90% of organizations have increasing budget allocation coming. So organizations, I think, are galvanized to understand that they need to prepare for new kinds of cryptographic algorithms and connected to that. We're hoping they realize that this is a good time to also prepare for shoulder certificates, because really the two initiatives are very related and in a lot of ways you can kill both birds.
[08:06]
B
With a single stone. Thank You, I appreciate that. And yeah, there's been a lot of interest, especially you probably saw recently, Google's quantum chip just broke a crazy record. They, they achieved quantum supremacy, which is pretty wild. But I agree with you. We need to, for post quantum cryptography, we need to be in the trenches now making sure that we are ready for this. But shortening the certificate lifespan is certainly a challenge for a lot of organizations and you did highlight some of that. So I appreciate your insights. And Tim, the last question of the day. If you look at five or 10 years, how do you envision the certificate and trust ecosystem evolving? And how do you foresee a world where certificates are largely invisible, where trust is delegated differently, or maybe where ecosystems like IoT require new models of identity?
[08:57]
A
Yeah, it's interesting. I think identity is a useful word in practice. It means a lot of things. So for instance, if I sign a contract digitally, there's an identity associated with that. That's a different thing in a lot of ways than me saying that when I connect to my bank, I want to know that it's really my bank that also has identity. But the identity of that website and the identity of me as a signer have some different qualities about them. And so some things are going on like a broad, broad citizen, electronic digital identity is just a matter of time. So the European Union has already passed legislation that every European citizen in the next few years will have access to a digital wallet that will include an identity. There's similar things going on in the US with, in certain states where you can basically get an electronic driver's license on your phone. That's another example of a digital identity. So these are going to move into the mainstream for us. At the same time, every digital process and entity everywhere needs to have an identity associated with it. So the stuff we do today where all our servers and all our systems all have to have digital identities, when I use, if I use a content acceleration network or if I use a hyperscaler or if I use a hosting provider, even though I don't do it, there has to be digital identities associated with all those servers or it all doesn't work. So you're right, it does become less visible, perhaps in a lot of ways, because my CDN is handling it for me, not me. Right. But on the other hand, it also is becoming much more visible in terms of things like we as people will be having to have a digital certificate on our phone that will identify us. And the important thing, I think, is that the technical professionals who do this need to do their jobs correctly. And there's no need for every individual citizen to be able to understand how this works. Technically, they just can't. But they need to be able to rely on it. And that means that people in the business like you and me and our listeners need to be educated and they need to get this stuff right.
[11:11]
B
Thank you. I appreciate you unpacking that. I know identity is key, and as you mentioned, each has unique qualities about it, but you did highlight digital identity is coming to everything, everywhere. You mentioned a few examples, including a digital id, for example, and I think that's great. It's going to streamline a lot of things. It's going to protect a lot of things. However, from my standpoint here, it's key that privacy and individuality is kept. I don't know how they're going to do that, because there's a big push for this, and as humans have been known to be a bit biased and corrupt over the centuries, so you got to keep that.
[11:50]
A
Absolutely. And. And there's the opportunity for things like PKI technically to provide a lot of those protections. That's one of the great things about it. For instance, if we make encryption correct, then it doesn't matter about the intent of anybody on any side, because they simply can't break the encryption whether they want to or not. There certainly are threats that come against that from things like some governments around the world who want to install back doors. I believe that those things would be very detrimental to our overall security and our privacy, and I believe we should resist those ideas. The cryptography and the PKI implemented correctly really is unassailable as long as we make it that way.
[12:38]
B
Thank you. Really appreciate that. And Tim, it was such a pleasure having you on today, and I look forward to speaking with you real soon.
[12:45]
A
Thank you so much, Brian. This has been a pleasure.
[12:48]
B
Bye for now.