Notifications
Clear all
Topic starter
25/06/2026 2:59 pm
TL;DR: A system can be technically secure yet still not secure to use if identity and trust signals do not line up for email, web, and transport paths, according to DigiCert’s Zoner case study. That distinction matters because practitioners must govern trust experience, not just encryption and certificate status.
NHIMG editorial — based on content published by DigiCert: What is Secure to Use? | Zoner & DigiCert Partner Case Study
Questions worth separating out
Q: How should security teams handle trust signals when cryptography is already in place?
A: Treat trust as an operational outcome, not a certificate status.
Q: Why can a system be secure yet still not secure to use?
A: Because technical protection and practical trust are different things.
Q: What should IAM teams learn from PKI and certificate governance?
A: IAM teams should treat certificate-backed identity as part of the identity lifecycle, not a standalone technical layer.
Practitioner guidance
- Audit trust signal usability Review whether users and systems can correctly interpret certificate, sender-authentication, and destination-assurance signals in the workflows where trust decisions are made.
- Separate email and web assurance controls Treat email sender authentication and website destination assurance as distinct control domains with separate policy, monitoring, and incident response playbooks.
- Map PKI controls to business decisions Identify where certificate lifecycle events affect user trust, customer communication, and application behaviour, then align those touchpoints with IAM and security governance.
What's in the full article
DigiCert's full blog post covers the practical trust details this post intentionally leaves at a higher level:
- The Zoner quotation and case-study framing that explain why the trust-versus-security distinction matters in customer communication.
- The PKI Platform context behind email sender confidence, website destination assurance, and protected transport.
- The source article's narrative around how the partnership was positioned for Zoner and its users.
- The supporting related-story links that show how DigiCert is framing PKI, email certificates, and certificate lifecycle topics.
👉 Read DigiCert's case study on why secure does not always mean secure to use →
Secure to use versus secure: what IAM teams miss?
Explore further
25/06/2026 4:16 pm
Secure to use is a governance property, not a technical footnote. The Zoner case study shows that organisations can meet the technical bar for security while still failing the operational bar for trust clarity. PKI may validate identity, but if people cannot confidently interpret what the signal means, the control does not fully serve its purpose. For practitioners, this is a reminder that trust governance must include human comprehension and workflow fit, not only crypto status.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs.
A question worth separating out:
Q: How do organisations know whether trust controls are actually working?
A: Measure whether the intended trust signal changes behaviour in the workflow it was meant to protect. If users ignore the cue, systems cannot validate it consistently, or the policy is unclear, then the control exists but its trust value is weak.
👉 Read our full editorial: Secure to use versus secure: why identity trust still fails
