Though it is the closest thing to an industry-standard API, there are still products and operating systems that don't support ACME. In this episode we explore what happens to these products once 90-day SSL certificates become the requirement.
One seldom discussed consequence of quantum computers and PQC is the move from cryptographic homogeneity to cryptographic heterogeneity, with multiple KEMs and DSAs eventually expected as ongoing standards. We examine the consequences of this change.
We introduce pkimetal, an open source project from Rob Stradling that allows CA to write to many popular linters with a single integration. We explain the importance and pitfalls of linters and how pkimetal improves linter implementation.
An enterprise SSL subscriber recently used a Temporary Restraining Order to prevent the proper revocation of misissued certificates. We explain what happened, why it's deeply problematic, and how the industry might consider responding.
NIST recently released PQC algorithmic standards in FIPS-203, FIPS-204, and FIPS-205 (ML-KEM, ML-DSA, and SLH-DSA). We describe what is necessary for enterprises to begin using these algorithms.
In this episode we detail the mandatory revocation periods for leaf certificates and intermediates and explain when a 24-hour versus a 120-hour revocation deadline applies.
On August 13, 2024, NIST released its first three standards for PQC algorithms, ML-KEM, ML-DSA, and SLH-DSA. We tell you where to find them and talk about what happens next.
Cookies are incredibly useful but also pose grave privacy concerns. We have in the past covered Chrome's initiatives to replace cookies. Now Chrome has announced that for the foreseeable future cookies will remain. We explain.
A popular belief is that Grover's algorithm will require that we double our AES key sizes. Repeat guest Bas Westerbaan of Cloudflare explains why this myth is incorrect and talks through the concept of "security levels" in post-quantum cryptography.
We examine one specific aspect of the recent CrowdStrike flaw. Microsoft blames the problem on the fact that it must, by European law, allow kernel updates to Windows. We unpack the challenges this poses.
This week Mozilla chose to follow Chrome in deprecating the Entrust trusted roots. We give you the details and explain why this action matters.
In the past three months we featured far-ranging conversations about post-quantum cryptography (PQC) with experts Bas Westerbaan of Cloudflare, Dustin Moody of NIST, and Bruno Coulliard of Crypto4A. In this episode we recap important takeaways from these conversations.
WebAuthn arrived last year with great fanfare. But here we are in the latter half of 2024, and they are rarely used. In this episode we discuss why.
When we discuss certificate discovery in CLM platforms, there is a common assumption that we're talking about public certificates exclusively. In this episode we explain the value of certificate discovery for internal PKI certificates also.
In this episode we explain what an adversarial, self-replicating prompt, otherwise known as a prompt worm.
The US Supreme Court has struck down the Chevron Deferment, which greatly expanded federal agencies' power to interpret and enforce statutes. This monumental ruling stands to shift power considerably from agencies to courts and will put more pressure on legislatures to determine precise laws around tech. We explore the consequences of this ruling.
We are joined again by Dustin Moody, who leads the NIST search for PQC algorithms. In this episode Dustin describes going-forward efforts, including Round 4 of the NIST contest and the Onramp. We discuss some of the candidate algorithms and the consequences of having multiple algorithms available for use.
A new social engineering exploit instructs victims to enter command line prompts to hack themselves on behalf of the hacker. We explain and discuss potential responses.
A newly revealed OpenSSH vulnerability can open enterprises to remote code execution. We explain what is happening, why you should care, and what to do about it.
To combat piracy of sporting event transmissions, a French court has ordered major tech companies including Google and Cloudflare to poison DNS settings. In this episode we provide some detail and generally marvel at this strange decision.
On June 27, 2024 Google Chrome announced it was distrusting Entrust as a public CA starting November 1, 2024. We explain what to expect, go over Google's stated reasons, and share some of what lead up to this.
In this episode we are joined by Dr. Dustin Moody, leader of the NIST post-quantum cryptography contest. Dustin gives us an inside view of the background behind NIST's decision to run the contest and how we got to where we are today.
In this new conversation with Bas Westerbaan of Cloudflare, we reveal that all existing PQC systems present significant problems for incorporation into our existing ecosystems. We explain the problems with existing systems and some options for what to do about it.
Microsoft has proposed a feature called Recall that uses screen images to fuel AI-assisted capabilities. This has raised fears about the security decisions around this capability. We talk about why and how the proposed technology has resultingly changed.
In this episode we compare the advent of cryptography relevancy of quantum computers (somestimes called Y2Q) to Y2K. We uncover similarities and differences and discuss how they govern decision making between now and Y2Q.
In this episode we drill down on one aspect of the loss of more than 500 million Ticketmaster users' data, which is the use of MFA for access to the Snowflake platform.
Chrome's recent 124 release supports PQC algorithms from NIST. This has led to the discovery of software and systems that break under these circumstances. We explain what happened, why, and what to do about it.
In the most recent CA/Browser Forum face-to-face meeting, the Google Chrome root program gave a presentation clearly defining its expectations for quality of incident reporting from CAs with an eye to where many CAs have been failing. We relate Chromium's statements and their significance.
Cloudflare research engineer Bas Westerbaan joins us to share his observations about post-quantum cryptography and what it does in the real world. We talk about the pragmatic needs of moving the internet for PQC and speculate about timelines for availability of PQC certificates.
A root trust deprecation highlights new Chrome functionality that enables more agile and less disruptive distrust events. We explain the significant of this event.
