The 2023 RSA Conference just concluded. This week Tim recaps what he saw at the show and how it reflects on security industry trends. Our hosts discuss Zero Trust, PQC, blockchain, artificial intelligence, post-COVID tradeshow behavior, and more.
The Google Chrome root store has communicated its plans for promoting automation. In this episode we explain Chrome's public plans for this initiative, which is anchored around ACME.
A recent outage in the Starlink internet service was caused by an unexpected certificate expiration. We discuss this ongoing problem and how 90-day maximum certificate term will exacerbate it.
The CA/Browser Forum guidelines contain many prescribed requirements, with language containing the word SHOULD or MUST. In this episode we explain the specifying power of these two words, why they are used, and what they signal about the intent behind a guideline and how the rules might evolve.
A large, public criminal marketplace for stolen logins and other information was rolled up by law enforcement across seventeen countries. Genesis Marketplace offered not only traditional login credentials but also associated data needed to defeat MFA.
The Root Causes podcast has received a Webby Honoree award. Jason and Tim briefly celebrate and discuss the challenge of operating a niche, homemade podcast while being directly compared to professionally produced podcasts on mainstream topics from media companies. Plus, Tim's new Root Causes t-shirt.
Certbot is an important part of the ACME standard. This open source tool makes it easier for many IT administrators to use ACME to automate provisioning and installation of SSL / TLS certificates.
As the industry explores the expected consequences of 90-day maximum term for SSL / TLS certificates, some are wondering if the allowed validation data reuse period stands to go down also. We explain today's data reuse rules and what the evidence indicates will be required for both domain control validation (DCV) and organization information validation.
We discuss how Certificate Lifecycle Management (CLM) interacts with Security Incident and Event Management (SIEM). The certificate world is chock full of events such as renewals, revocations, admin logins, and provisioning and removal of employee access. We talk about expected behaviors in the CLM and monitoring them.
In this episode we define Qualified Government Information Source (QGIS) and Qualified Independent Information Source (QIIS), which are critical to CABF-compliant organization validation. We explain how they fit into validation and the criteria for a reliable information source.
In this episode we dig into an emerging idea, which is the cryptographic center of excellence. We discuss how such a center of excellence would work and the benefits it can bring to an enterprise.
In this episode we are joined by Atsushi Yamada, CEO of ISARA. He explains how ISARA has put its patents on hybrid certificates into the public domain and why. We explain the role of hybrid certificates in PQC and ongoing crypto agility.
In this episode we describe an incident in which a GoDaddy breach exposed customer private keys. We explain the expectations surrounding private key exposure and get into the interesting question of when an incident is or is not part of a large company's CA business.
A new White House cybersecurity initiative specifically calls out digital identity and post quantum cryptography (PQC) among its focal areas. We discuss what it says and the potential implications.
In our ongoing exploration of the security implications of AI, in this episode we examine the suitability of ChatGPT as a malware-writing tool and possible future directions for AI in software creation.
The Google Chrome root program recently announced its intention to reduce the maximum term for public SSL certificates to 90 days. In this episode we explain this announcement and its implications and speculate on timing for this reduction.
In our episode 281 we reported on Google's proposal for optional OCSP. In this episode we correct some of our earlier reporting in that episode, including the use of CRL and the removal of any revocation requirement for SSL certificates of not more than ten days in term.
Repeat guest Bruno Couillard of Crypto4A joins us to explain where Hardware Secure Modules (HSMs) fit into the world of PQC. We discuss the issues surrounding how HSMs will work with post quantum algorithms and hybrid certificates and the process (and timelines) for defining how HSMs will incorporate PQC.
In response to concerns about OCSP and privacy, Google has proposed removing the requirement for OCSP revocation checking for public SSL certificates meeting certain specific conditions. In this episode we go into the details of this proposal.
Recent news reports might suggest that an AI-enhanced side attack has defeated the CRYSTALS-Kyber PQC algorithm. In this episode we clarify that Kyber has not been defeated to date and exactly what did occur. We define side channel attack, discuss the broader implications of this attack, and speculate on what would happen if Kyber actually were broken.
ChatGPT presents the potential problem of ChatGPT content being used and attributed to another source, such as a professional writer or a student. In this episode we discuss the idea of "watermarking" ChatGPT content, including stenography, randomness, entropy, and how to destroy the watermarks.
Recent public discussion of FIDO and digital certificates reveal details of Microsoft's approach to consumer digital authentication. We discuss secure elements, Windows Hello, and the differences between B2C, B2B, and B2E.
In the latest continuation of the effort to create better protections for consumer privacy while still enabling targeted advertising, Google has announced the Privacy Sandbox. In this episode we describe this latest foray, including concepts like k-anonymity and differential privacy.
ChatGPT and similar AI tools are dominating the public's mind these days. In this episode we discuss the potential for people to attempt to use ChatGPT as a source of reputational analysis, KYC, and other information about individuals, companies, and other entities. These activities are potentially subject to both error and deliberate misdirection. In this episode we explain why.
In a recently revealed security breach, an attacker gained a copy of the full 2019 TSA No Fly list, including subject PII. This breach was enabled by failures in digital identity and encryption. Join us in unpacking what happened and the lessons to be learned.
The U.S. government has a new law requiring that government agencies create plans for migrating to post-quantum cryptography in response to impending threats from quantum computers. In this episode we are joined by guest Bruno Couillard of Crypto4A to discuss the law and its implications.
The industry is seeing more and more attention spent on the idea of CA agnosticism. As with any buzzy technology term, it can be used to mean a variety of things. Join us as we catalog the various ways a Certificate Lifecycle Management (CLM) system can be "CA agnostic."
Concerns recently have been raised about OCSP real-time certificate checking and its potential to violate privacy. In this episode we unpack these concerns and discuss the alternatives to OCSP.
A white hat security researcher recently revealed a large number of identity-based vulnerabilities across many automotive manufacturers. In this episode we explain how a group of white hats exploited these manufacturers' dependence on non-secret "secrets" such as VIN or email address to force a raft of unacceptable behaviors across a large number of automotive brands.
One of the little known changes that has come to the world of TLS is that the secret handshake and key exchange updated from Public Key Exchange (PKE) to Key Encapsulation Methods (KEM). In this episode we explain the difference between the two methods and why this change is taking place.
