Root Causes: A PKI and Security Podcast

We look at the new European DORA and NIS2 regulations and how Certificate Lifecycle Management is a key requirement to meet these requirements. You will be surprised how explicit these requirements are.

In an innovative application, an AI has been used to find private keys for ECC (Elliptic Curve Cryptography) P 256. We explain how.

New research indicates that the number of qubits necessary to achieve cryptographic relevance has reduced by two orders of magnitude. We cover this breaking news and its implications.

By CABF ballot all manual methods of Domain Control Validation (DCV) will be deprecated by 2028. We explain which methods are due for deprecation and when.

We go over the qualities in abstract of a use case that strongly invites the use of hybrid certificates and then run down a list of specific use cases that meet these criteria. This includes OT systems, code signing, secure boot, WiFi, enterprise S/MIME, and more.

In this episode Jason declares that we must make cryptography boring again. We get into what that means and why it matters.

We have seen much talk of the upcoming drop of maximum TLS term to 200 days, followed by 100 days, and eventually down to 47 days. It happens that all those numbers are too large and the actual maxima will be less than that. We explain.

March 2026 is due to be the most eventful month in the history of the WebPKI. Join us as we go over all the many changes coming next month.

A large investment firm divests from Bitcoin for fear of the quantum threat.

Everybody knows about March 15 and the drop in maximum public TLS certificate term to 200 days. But that only scratches the surface on key dates with this maximum term reduction. Join us as we go over "all the dates" for TLS maximum term reduction.

We score our 2025 predictions in this second of two parts.

Every new year we make predictions for the year to come, and every year we go back and see how we did. This is the first of two parts scoring our 2025 predictions.

We discuss the idea that not all cryptographic entropy is equally "random" and potential consequences.

We discuss the idea that it might be impossible to actually create a cryptographically relevant quantum computer and weigh in on this idea.

Repeat guest Chris McGrath shares what enterprises need to be doing now to stay on track for the NIST PQC deadline in 2030.

Repeat guest Chris McGrath joins us to discuss how increasingly strict regulations are requiring increased rigor, visibility, and auditability for enterprise digital certificates and PKI.

Senior cyber security advisor Chris McGrath joins us to discuss redefining digital certificates and their role in your organizational security profile, increasing regulation of certificates, and how enterprises can up their certificate game.

We name the ten enterprise environments and use cases that are most likely to be late adopters of post quantum cryptography (PQC).

We discuss the foundational importance of time in PKI and security in general. This includes when things happen, the order in which things happen, and attacks based on time-spoofing. We drill down on certificates, roots, timestamping, Certificate Transparency, patching, audits, and PQC.

In our concluding episode on the topic, we scrutinize arguments make for and against QWACs, this time focused on "compliance and interoperability."

In our second of three episodes on the topic, we scrutinize arguments make for and against QWACs, this time focused on "governance and sovereignty."

As a follow up to our episode 546, we break down the first of three sets of arguments about QWACs and examine their level of validity.

You may have heard of side channel attacks. Now Jason explains what a side oracle attack is and how a side oracle attack in conjunction with AI could be effective against the HQC or Falcon PQC algorithms.

One of the NIST Round 3 PQC finalists that was never selected or eliminated is Classic McEliece. In this episode we explain in non-math terms how this algorithm works.

Continuing our examination of AI in 1000 days, we discuss the use of finely tuned small language models for highly specific use cases.

We discuss what happens when the quality gap between AI-generated and human-generated content drops to zero. We explore the consequences of this inevitable outcome.

In our ongoing series on what AI will look like in 1000 days, we discuss the spread of a new business process, where AIs do the bulk of the work while humans sit in the loop for certain specific tasks and roles.

Following up on our list of top 5 PQC vanguards, in this episode we detail the top 5 PQC laggards.

We describe the top five technology categories that are on the vanguard of driving PQC adoption. We describe what these categories have in common and how that results in early adoption of post quantum cryptography.

We detail the top ten groups inside the organization who introduce rogue certificates into IT organizations.

Tech watchers tend to conflate the many quantum technologies under development right now. In this episode we go through these technologies and explain how they connect.

We discuss quantum clocks and their potential role in cryptography.

We share our PKI predictions for 2026. Topics include PQC, eIDAS 2, CT logging, ACME, passkeys, CA distrust, AI model poisoning, and new attack vectors.

Jason explores the role cryptography and trust systems play in the command and control of groups of autonomous drone systems.

Certificate maximum term is shrinking. In this episode we examine exactly how short they could get.

In our ongoing series on AI in 1000 days, we describe the inevitable, complete distrust of voice printing as an authentication method, including why and what we think will happen.

We begin a new series about what we expect from AI in the next three years. In this episode we discuss AI emulating emotional intelligence and its benefits.

In this episode we discuss the value for enterprises in running mass revocation drills and compare the merits of tabletop exercises versus voluntary revocation events.

We are joined by guests Pol Holzmer and Johannes Sedlmeir to describe their recent research that documents and organizes public arguments made about QWAC certificates.

The MOSH tool aids the use of SSH-secured sessions, especially across different systems. Jason unpacks the security of this system and how it uses encryption and shared secrets.

Chain of lure is an attack method used to circumvent restrictions and boundaries places on AIs. Jason explains this attack and its implications.

We have seen the first known instance of an AI tool discovering a zero-day vulnerability. This could have vast implications on vulnerability detection and bug bounty programs. We discuss the implications.

In this episode we go over some of the reasons one might choose HQC over ML-KEM as a PQC key exchange algorithm for specific circumstances. And we discuss the future diversity of cryptography.

NIST recently selected a second Key Exchange Module (KEM) among the PQC algorithms, HQC. We explain this code-based algorithm.

We define Cryptographic Bill of Materials (CBOM), which is more than a list of your cryptography and where it is. A CBOM need also include information about the PQC readiness of environments, availability of updates, and the importance of secrets.

A new kind of eIDAS QWAC (Qualifieid Website Authentication Certificate) is on the way. The "two-QWAC architecture" introduces a second certificate containing organization information to be displayed by the browser, to sit alongside but independent of the certificate that authenticates a domain. We explain what's coming and why.

An environment in which credentials are extremely predictable could be described as an entropy desert. There are occurring at a global scale. We discuss concepts like measurable entropy availability and entropy by design.

In this episode we build on our concept of entropy-aware guidance to explain how we might quantify privacy. We touch on GDPR, proof of work, and Landaur's principle.

A patent dispute in 2024 nearly blocked ML-KEM. But emerging thinking raises concern that the 2024 resolution did not guarantee full, clear access to all ML-KEM implementations. We explain.

The CPS must always be a superset of actual practices in a properly running CA. We explain why this is a product of good design.

Imagine what happens if you use the wrong LLM, including a malicious model placed there to create mischief or crime. How do you know? Jason proposes that, the same way we sign our code, we should be signing our AI models as well.