In this episode we discuss the thinking on how adversaries can exploit the flaws in AI models to achieve unexpected and dangerous results. We explore some potential paths of defense against attacks of this sort.
RSA is under attack. Even without the quantum threat, we face the possibility of smart new exploits reducing the viable RSA key space and rendering it unsafe. In this episode we discuss the merits of choosing ECC over RSA as soon as today.
We discuss how various popular computing platforms approach security and highlight the differences between them.
Jason recounts a 2024 Black Hat talk about the need for objective measurements of our IT defenses and whether the good guys or bad guys are winning. Jason breaks down how to define and measure the impact of security measures.
It's the stuff of science fiction! Interesting research shows how today's AI technology is capable of lying to and scheming against its human owners in service of its goals.
We talk a lot about Shor's Algorithm in our discussion of post quantum cryptography (PQC). In this episode Jason explains Shor's algorithm for non-quantum physicists.
Jason reports on a 2024 Black Hat keynote about how modern software development practices inhibit innovation and invention.
AI tools are now available to perform red-teaming activity for DevSecOps. Such tools are soon to be table stakes in the constantly escalating IT security arms race. Join us to learn more.
In this episode, guest Alexandre Giron explains what is needed to support post quantum cryptography (PQC) with ACME.
Not all forms of MFA are equally secure. In this episode we describe the differences between the more secure and less secure forms of MFA.
In this episode we explain the all-or-nothing fallacy in cybersecurity and how it's affecting debate in the WebPKI right now.
A new demand from the UK seeks complete access to all Apple cloud data housed in the UK, regardless of the data owners' citizenship and residency. We unpack this latest development in Government versus Encryption.
The past year has seen a great deal of focus on the use of public TLS certificates where private root certificates are actually the appropriate solution. In this episode we discuss the differences between these two use cases and what IT organizations can do about it.
Apple is proceeding with a ballot that eventually will shorten SSL certificate maximum term to 47 days. Accompanying the ballot, Apple released a statement explaining its intent with the ballot. In this episode we unpack its statements.
In the wake of the Bugzilla Bloodbath, we list and describe twelve sins CAs commit on Bugzilla and its like, why they're detrimental, and how CAs should avoid them.
Harvest and decrypt is a well-known attack vector against traditional cryptography prior to PQC. In this episode, we discuss what enterprises should be doing today to defend themselves against harvest and decrypt.
In this episode we explain that all cellular networks, contrary to popular belief, are fundamentally insecure.
In this episode we walk through the evolution of the war on cryptography, from the beginning up through today, terminating in what we call Crypto War 3.0.
Sectigo today announced the acquisition of the Entrust public CA business. Entrust will go forward as a Sectigo reseller. Join us to learn the details.
In this episode we are joined by Dr. Michela Mosca. We discuss his pioneering work identifying the need for post-quantum cryptography, where PQC stands today, and what the future may hold.
2024 set in motion major changes for certificate lifespans and DCV. In this episode we discuss the Apple 47-day proposal, stepping down certificate term, public versus private CA use cases, DCV reuse periods, MPIC, WHOIS, and other topics.
Apple has added itself to the Entrust distrust and has extended this distrust to S/MIME and VMC. We explain.
We had a remarkable year on the Root Causes podcast in terms of our guests. We look back at the extremely expert guests we were lucky to talk about in 2024.
In this 2024 lookback episode, we give an overview of the firestorm of Bugzilla incidents that we refer to as the Bugzilla Bloodbath. The Bugzilla Bloodbath affected actions around the Entrust distrust, delayed revocation reform, 47-day SSL certificate maximum term, linting, and more.
We talk with guest Sofia Celi of Brave Browser, who leads the IETF PQC standardization effort, about the process of setting standards for PQC-compatible digital certificates. We learn about expected timelines, hybrid strategies, the NIST PQC onramp's role, and more.
2024 was an eventful year for post quantum cryptography (PQC). This includes FIPS standards, the PQC onramp, and the dawn of widespread interest among IT professionals.
The old adage states that a monkey in front of a keyboard, given enough time, could randomly type the works of Shakespeare. Apparently, someone ran the numbers and said not so much. We break it down and explain why we're discussing this on a PKI podcast.
We go over our predictions for 2024 and score our ability as prognosticators.
It was a crazy year for CA/Browser Forum activity, with nearly three times the normal number of ballots. Guest Martijn Katerbarg goes over the 32 CABF ballots from 2024.
We make our 2025 predictions. Topics include maximum certificate term, AI, post-quantum cryptography (PQC), deep fakes, and more.
