With maximum 90-day term coming for public SSL certificates and DCV reuse also moving to 90 days, we explain why we do not expect a similar reduction in the reuse period for organization validation.
In this episode we present a catalog of "security questionnaire sins," which are avoidable problems and errors that frequently occur in the security questionnaires enterprises send to vendors. Categories include difficulty of access, poor technical implementation, poor policies, and poor questions.
Three major camera manufacturers have joined to create a standard for signed digital images from their cameras.
Multi-perspective Domain Validation (MPDV) is a necessary evolution of Domain Control Validation (DCV) to protect against Border Gateway Protocol (BGP) attacks. We explore how MPDV may affect accepted DCV methods, especially the email method.
In this episode we explore whether a managed PKI provider should give complete control over PKI decisions to the end customer or if it should enforce certain minimum standards and principles regardless of what the customer asks for.
A newly published attack against common implementations of CRYSTALS-Kyber illustrates how cryptographic implementations can be vulnerable even if the cyphers themselves remain sound.
Our hosts firmly believe that PKI is a necessary component of all digital interactions. And yet there are still gaps in PKI implementation. We discuss these gaps and why they persist.
Meta is finally rolling out end-to-end encryption across its messaging apps. This is the latest chapter in the long story of government versus encryption. We rant a little about this.
We look forward to 2024 and predict trends for PKI, certificates, and digital identity. We discuss shortening certificate lifespans, Multi-perspective Domain Validation (MPDV), eIDAS 2.0, OCSP, post-quantum cryptography (PQC), Certificate Lifecycle Management (CLM), passwords, root stores, and government versus encryption. Plus, will Jason be sent to the gulag for not being Canadian enough?
GDPR provides a "right to be forgotten," whereby individuals can demand the removal of PII from IT systems. This can run directly contrary to the transparency and permanence built into the DNA of public PKI systems. We explore this conundrum.
We look back at PKI in 2023. Trends include artificial intelligence, enterprise crypto agility, the fall of OCSP, PKI everywhere, the weakness of passwords, and government versus the internet. We also look at last year's predictions and compare them to the year's events.
One foundational element of modern cryptographic systems is the Merkle tree. Merkle tree is an enabler of blockchain and CT logs, among other things. We explain this data structure, its properties, and its use cases.
90-day SSL certificates is only part of it! 2023 has been a year of certificate lifespans getting shorter. We review these trends.
In this episode we uncover the epidemic of private credentials in public-facing code repositories, including why it occurs and what do to about it.
The European Union is applying pressure to Apple to allow sideloading of applications. We go over why this is occurring, the potential dangers, and Apple's response.
NIST's Round 3 competition has yielded winners for standardization. But NIST wants to continue finding additional potential algorithms, especially those using non-Lattice schemes. We explain the PQC "onramp" and what we should expect.
ETSI is preparing to release specifications for eIDAS 2.0. One controversial aspect of this new standard is that it limits browsers' ability to determine their own trusted roots. In this episode we explain this limitation and the concerns surrounding it.
The CA/Browser Forum rules stipulate how often forced password changes for CA employees are to occur. They don't, however, specify a frequency at which these forced changes must occur. Rather, they set the MINIMUM time before forced password changes can happen. Join us to learn why.
The practice of sending security questionnaires to technology vendors is exploding, and with it dysfunctional behavior is on the rise. In this episode we describe how security questionnaires are changing and the pitfalls associated with this emerging practice.
Canada's Online Streaming Act will require internet content providers to provide a minimum percentage of content produced by Canadians or face fines. We explore this latest episode in the theme of governments attempting to control the free flow of information on the internet.
In this episode we describe at a high level how to calculate the Total Cost of Ownership (TCO) of CLM as opposed to manual installation and management of certificates.
In this follow up to our episode on CLM and the IT skills gap, we now discuss how CLM matters to individual IT professionals and can help progress careers and improve work life.
For decades industry has had more need for skilled IT employees than the workforce could provide. In this episode we discuss how Certificate Lifecycle Management and certificate automation can help mitigate the challenges posed by the IT skills gap.
A recent press release discusses efforts of camera manufacturers and the digital imagery supply chain to create an ecosystem for digitally signed images. We describe what such an ecosystem would do, where it could do in the future, and the advantages and limitations of these schemes.
In this episode we describe a social engineering attack to steal a one-time password (OTP) to enable unauthorized access. This incident further exploited a cloud backup feature to extend the scope of the breach. We explain.
Most people hate dealing with CAPTCHA, but it offers great benefits for web site operators. In this episode we discuss alternatives to CAPTCHA, how they work, and their pros and cons. Plus, the Get-Off-My-Lawn! browser returns.
A newly revealed side channel attack can capture AES encryption keys from Intel chips. We explain this significant and powerful attack.
Researchers have built an AI model that can interpret keystrokes based on the sound of keyboard use over a phone or video call. Among other things, this technique can be used to steal passwords when the sound of logging in can be overheard. Join us as we learn about this new breed of credential harvesting.
Recent erroneous behavior for certain applications on Windows has drawn attention to the Microsoft trusted root store. It turns out that Microsoft removed - and then re-added - a legacy VeriSign root in its trusted roots list. We give you the details of what went on and why.
Our hosts are joined by IronCap CEO Andrew Cheung as he discusses commercially available PQC solutions today, including VPN, email, and crypto currency.
