Title
Automated Certificate Policy Updates Based on NIST SP 800-52 and Improved Signature Algorithm Detection
Solution Value Statement
Enable IBM Concert to automatically update certificate policy rules based on NIST SP 800-52 guidance and improve signature algorithm detection using Object Identifiers (OIDs), ensuring stronger cryptographic compliance and reduced manual effort.
Problem Description
Currently, IBM Concert requires users to manually manage certificate policy rules related to cryptographic standards such as hash algorithms and key lengths.
Who is affected: Security teams and compliance officers responsible for enforcing cryptographic standards.
What the current process looks like: Users must manually track updates to NIST SP 800-52 and adjust policies accordingly. Signature algorithm detection relies on text matching (e.g., “SHA-256”), which is error-prone and inconsistent.
Why it's problematic: Manual updates are time-consuming and error-prone, and text-based detection can miss or misclassify algorithms, leading to compliance gaps.
Proposed Solution
Enhance IBM Concert’s certificate management capabilities to:
Automatically update certificate policy rules when NIST SP 800-52 is revised
Use Object Identifiers (OIDs) to detect signature algorithms instead of relying on text matching
Provide visibility into which certificates comply or violate updated standards
Offer recommendations or automated remediation actions for non-compliant certificates
Include a reference to the NIST publication version used for policy enforcement
Customer Impact / Business Value
Compliance Assurance: Ensures alignment with evolving NIST cryptographic standards
Operational Efficiency: Reduces manual effort in updating and enforcing certificate policies
Accuracy: Improves detection of weak or deprecated algorithms using OIDs
Security Posture: Strengthens cryptographic hygiene across environments
Pilot or Validation Context
This request is based on real-world cryptographic policy enforcement challenges. The NIST SP 800-52r2 publication provides authoritative guidance on acceptable algorithms and key lengths, which customers are expected to follow.
Key Functional Requirements
Automated policy updates based on NIST SP 800-52 revisions
OID-based signature algorithm detection
Certificate compliance reporting and visualization
Integration with certificate discovery and posture workflows
Audit trail of policy changes and enforcement actions
Metrics for Success
Reduction in manual policy update tasks
Accuracy of algorithm detection using OIDs
Number of certificates flagged and remediated based on updated policies
Customer satisfaction with cryptographic compliance features
Original Aha idea:
We investigate the capability of Certificatioin management capability of IBM Concert.
Now we need to manage manually the Certificate policy for Hash algorithms or Key length. We think this is not ideal way.
Basically we subject to the guide of NIST SP 800−52, which signature algorithms is strong or not.
So when the NIST guide is updated, please update automatially the Certificate policy from the SaaS side.
-
And we don't think the text matching for algorithm name like SHA-256 or SHA256-RSA is not best way.
Each signature algorithm has its own Object ID, which can be fetched with openssl command and so on.
openssl x509 -in certificate.crt -text -noout
We think evaluation using OBJECTID is better way without ambiguity.
SIGNATURE ALGORITHM OBJECTID STATUS
sha256WithRSAEncryption 1.2.840.113549.1.1.11 secure
sha1WithRSAEncryption 1.2.840.113549.1.1.5 INSECURE
ecdsa-with-SHA256 1.2.840.10045.4.3.2 secure
dsa-with-sha256 2.16.840.1.101.3.4.3.2 secure
