Root Causes: A PKI and Security Podcast

Senior cyber security advisor Chris McGrath joins us to discuss redefining digital certificates and their role in your organizational security profile, increasing regulation of certificates, and how enterprises can up their certificate game.

We name the ten enterprise environments and use cases that are most likely to be late adopters of post quantum cryptography (PQC).

We discuss the foundational importance of time in PKI and security in general. This includes when things happen, the order in which things happen, and attacks based on time-spoofing. We drill down on certificates, roots, timestamping, Certificate Transparency, patching, audits, and PQC.

In our concluding episode on the topic, we scrutinize arguments make for and against QWACs, this time focused on "compliance and interoperability."

In our second of three episodes on the topic, we scrutinize arguments make for and against QWACs, this time focused on "governance and sovereignty."

As a follow up to our episode 546, we break down the first of three sets of arguments about QWACs and examine their level of validity.

You may have heard of side channel attacks. Now Jason explains what a side oracle attack is and how a side oracle attack in conjunction with AI could be effective against the HQC or Falcon PQC algorithms.

One of the NIST Round 3 PQC finalists that was never selected or eliminated is Classic McEliece. In this episode we explain in non-math terms how this algorithm works.

Continuing our examination of AI in 1000 days, we discuss the use of finely tuned small language models for highly specific use cases.

We discuss what happens when the quality gap between AI-generated and human-generated content drops to zero. We explore the consequences of this inevitable outcome.

In our ongoing series on what AI will look like in 1000 days, we discuss the spread of a new business process, where AIs do the bulk of the work while humans sit in the loop for certain specific tasks and roles.

Following up on our list of top 5 PQC vanguards, in this episode we detail the top 5 PQC laggards.

We describe the top five technology categories that are on the vanguard of driving PQC adoption. We describe what these categories have in common and how that results in early adoption of post quantum cryptography.

We detail the top ten groups inside the organization who introduce rogue certificates into IT organizations.

Tech watchers tend to conflate the many quantum technologies under development right now. In this episode we go through these technologies and explain how they connect.

We discuss quantum clocks and their potential role in cryptography.

We share our PKI predictions for 2026. Topics include PQC, eIDAS 2, CT logging, ACME, passkeys, CA distrust, AI model poisoning, and new attack vectors.

Jason explores the role cryptography and trust systems play in the command and control of groups of autonomous drone systems.

Certificate maximum term is shrinking. In this episode we examine exactly how short they could get.

In our ongoing series on AI in 1000 days, we describe the inevitable, complete distrust of voice printing as an authentication method, including why and what we think will happen.

We begin a new series about what we expect from AI in the next three years. In this episode we discuss AI emulating emotional intelligence and its benefits.

In this episode we discuss the value for enterprises in running mass revocation drills and compare the merits of tabletop exercises versus voluntary revocation events.

We are joined by guests Pol Holzmer and Johannes Sedlmeir to describe their recent research that documents and organizes public arguments made about QWAC certificates.

The MOSH tool aids the use of SSH-secured sessions, especially across different systems. Jason unpacks the security of this system and how it uses encryption and shared secrets.

Chain of lure is an attack method used to circumvent restrictions and boundaries places on AIs. Jason explains this attack and its implications.

We have seen the first known instance of an AI tool discovering a zero-day vulnerability. This could have vast implications on vulnerability detection and bug bounty programs. We discuss the implications.

In this episode we go over some of the reasons one might choose HQC over ML-KEM as a PQC key exchange algorithm for specific circumstances. And we discuss the future diversity of cryptography.

NIST recently selected a second Key Exchange Module (KEM) among the PQC algorithms, HQC. We explain this code-based algorithm.

We define Cryptographic Bill of Materials (CBOM), which is more than a list of your cryptography and where it is. A CBOM need also include information about the PQC readiness of environments, availability of updates, and the importance of secrets.

A new kind of eIDAS QWAC (Qualifieid Website Authentication Certificate) is on the way. The "two-QWAC architecture" introduces a second certificate containing organization information to be displayed by the browser, to sit alongside but independent of the certificate that authenticates a domain. We explain what's coming and why.

An environment in which credentials are extremely predictable could be described as an entropy desert. There are occurring at a global scale. We discuss concepts like measurable entropy availability and entropy by design.

In this episode we build on our concept of entropy-aware guidance to explain how we might quantify privacy. We touch on GDPR, proof of work, and Landaur's principle.

A patent dispute in 2024 nearly blocked ML-KEM. But emerging thinking raises concern that the 2024 resolution did not guarantee full, clear access to all ML-KEM implementations. We explain.

The CPS must always be a superset of actual practices in a properly running CA. We explain why this is a product of good design.

Imagine what happens if you use the wrong LLM, including a malicious model placed there to create mischief or crime. How do you know? Jason proposes that, the same way we sign our code, we should be signing our AI models as well.

We discuss how a static PKI structure can hurt corporate flexibility and resilience. Events like reorgs and M&A activity can cause intractable problems with the wrong PKI setup. Plus, Jason coins the term PKI archeology.

In this episode, Jason describes how we might use the principles of PKI in a purely offline scenario.

Public certificates are transitioning from multi-purpose root hierarchies to single-purpose ones. We discuss why.

We compare AI in 2025 to Internet in 1995 and describe the AI iceberg, including the majority of applications which are below the waterline.

Verified Mark Certificates (VMC) now have a companion product for logos that are not registered trademarks, called a Common Mark Certificate (CMC). We explain the differences.

A CA has incorrectly issued TLS certificates for the 1.1.1.1 and 2.2.2.2 IP addresses. We go into the details.

Client authentication using public TLS server certificates is on the deprecation path. In this episode we go through the key dates in this deprecation.

Based on the ready availability of AI-based voice cloning, we declare voice biometric authentication to be utterly valueless.

A new CABF ballot proposal will eliminate all email- and phone-based DCV over the next few years. We go into the details.

Three major changes are coming to the world of public certificates, all of which require major changes in how organizations deploy, renew, and manage their certificates. These are 47-day SSL, PQC, and the deprecation of mTLS. We describe the overlap between these efforts and how to combine them for better efficiency and project management.

MPIC (Multi-perspective Issuance Corroboration) is soon to move into enforcement phase. In this episode we describe three configuration decisions that can force Domain Control Validation (DCV) to fail and tell you what to do about them before you have a problem.

We complete our description and commentary on the results of Sectigo's survey of enterprise preparedness for Post Quantum Cryptography (PQC).

We begin to go over the results of Sectigo's recent survey of enterprises and their preparedness and plans for adopting Post Quantum Cryptography (PQC).

Sectigo has released the results of its survey of IT professionals in charge of certificates to measure their readiness and preparation for 47-day maximum certificate term. We go over the results.

AI is not the elephant in the room. It is the room itself. Jason explains what he means by that.

Britain's National Cyber Security Centre recently issued a lukewarm verdict on passkeys as an authentication solution. We explore the problems with WebAuthn, including account recovery, spotty availability, inconsistent implementation, and lack of Linux support.