Root Causes: A PKI and Security Podcast
Digital certificate industry veterans Tim Callan and Jason Soroko explore issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic computing world. They discuss best practices in digital certificates under pressure from technology trends, new laws, cryptographic advances, and evolving computing architectures. The podcast helps listeners stay current on developments in this essential technology platform and understand the whys and wherefores of popular Public Key Infrastructures.
Episodes
Root Causes 628: PI-DOS (Prompt Injection-based Denial of Service)
An emerging attack against AIs is to create a significantly complex and recursive prompt that will occupy the AI indefinitely or for a sufficiently long time that it acts as a Denial-of-Service (DoS) attack. We describe how this works.
Root Causes 627: UK vs Apple E2EE Backups
In the latest in our coverage of government versus encryption, the UK issued secret orders to Apple to give it a cryptographic backdoor to Apple's advanced data protection capability for iCloud. Apple responded by eliminating encryption entirely for UK users. We break it down.
Root Causes 626: TLS 1.3 Roadblock
TLS 1.3 is required to take advantage of post quantum cryptography (PQC) algorithms. Yes, we still see a lot of TLS 1.2 or earlier in deployment. We examine why this is the case and what to do about it.
Root Causes 625: AI in 1000 Days - Cyber Defense
Recent revelations about Mythos and its ability to expose vulnerabilities have forced us to rethink basic assumptions about cyber defense. In our "AI in 1000 Days" series, Jason Soroko and I examine the implications of these revelations three years from now. This includes upping the overall pace of attack and changes to best practices in cyber security defense.
Root Causes 624: Implications of Mythos
Anthropic has delayed its widespread release of Mythos to give major software providers a chance to close off the many vulnerabilities it has discovered. We dig into the vast implications of Mythos and other AI models for the future of cybersecurity.
Root Causes 623: Are PQC Key Sized Big Enough?
We discuss the possibility that our standardized ML-DSA keys turn out to be too short for true confidence, why that might occur, and the implications for private PKI certificates.
Root Causes 622: Modeling the Time to CRQC
Sam Jaques joins us to explain his much-referenced chart mapping progress toward cryptographically relevant quantum computing (CRQC).
Root Causes 621: Simplicity at Scale
We break down the phrase "Simplicity at Scale" to see what it means to us in the context of CAs and CLM.
Root Causes 620: Will NIST Update Its PQC Timelines?
A few years ago NIST proposed deadlines for PQC deployment at 2030 and 2035. But recent announcements from Google and Cloudflare suggest 2029 as a better deprecation target. We are joined by Dustin Moody to get the NIST perspective on these announcements.
Root Causes 619: Do We All Need to Adopt PQC by 2029?
Recent announcements from Google and Cloudflare have declared new 2029 deadlines for full post quantum cryptography (PQC) migration. Bas Westerbaan explains the rationale behind Cloudflare's decision and discusses implications for other enterprises, asking "Are you a gambler?"
Root Causes 618: MTC and Private PKI
Repeat guest Bas Westerbaan of Cloudflare joins us to explore the role of Merkle Tree Certificates in private CA scenarios with an eye toward where they will be needed and where traditional PKI will be better suited.
Root Causes 617: What Are X9 Certificates?
The US-based X9 financial industry consortium has created a server certificate. We explain what X9 certificates are and suitable use cases for this certificate type.
Root Causes 616: NIST and Merkle Tree Certificates
Dustin Moody of NIST joins us to discuss Merkle Tree Certificates (MTC) and the NIST position on them.
Root Causes 615: What Is IETF PLANTS?
Repeat guest Bas Westerbaan of Cloudflare joins us to explain the PLANTS working group in IETF, which is driving standards around post quantum cryptography (PQC) and Merkle Tree Certificates (MTC). Bas explains the path to becoming a final standard, where we are in this process, and how you can get involved.
Root Causes 614: MTC and Downgrade Attacks
It's reasonable to believe that Merkle Tree Certificates (MTC) and traditional RSA will co-exist on the same servers for years, if not decades, during the transition to post quantum cryptography (PQC). Bas Westerbaan of Cloudflare joins us in this episode to explore the possibility of quantum downgrade attacks and what we can do about them.
Root Causes 613: Status of the NIST PQC Contests
We are joined by Dustin Moody of NIST to go over the current state of the various post quantum cryptography (PQC) contests, including upcoming FIPS standards for Falcon (FN-DSA) and HQC, other Round 4 algorithms, the digital signing algorithm (DSA) On Ramp, isogeny, and future cryptographic exploration.
Root Causes 612: What Do Subscribers Need for MTC?
We are joined by Bas Westerbaan of Cloudflare to explain considerations and requirements for use of Merkle Tree Certificates (MTC). This includes full adoption of TLS 1.3, offering PQC and RSA at the same time, the imperative value of automation, and running production MTC in 2027.
Root Causes 611: Merkle Tree Certificates, What and Why
There are strong reasons to believe that the architecture of PQC TLS will take the form of Merkle Tree Certificates (MTC). We are joined by post quantum cryptography expert Bas Westerbaan of Cloudflare as he explains this new PKI architecture, how it works, and why we need it. We define new concepts like landmark certificates and log mirrors and discuss what's necessary to move to this new archite
Root Causes 610: Types of Logical Qubits
We describe three different kinds of logical qubits with their relative strengths and weaknesses.
Root Causes 609: Side Channel Apocalypse
Jason explains the extreme danger of side channel attacks in the new post quantum cryptography (PQC) era.
Root Causes 608: The Fragility of Formal Verification
The reliability of cryptographic algorithms is largely a matter of conjecture based on track record. Proving security is impaired by the difficulty of formal verification, implementation weaknesses, and failure in randomness.
Root Causes 607: PKI That's Hard to Discover
The first of the five pillars of Certificate Lifecycle Management (CLM) is discovery. While many of your certificates are easily discoverable, some difficult PKI remains.
Root Causes 606: What Is the UK Online Safety Act?
The UK Online Safety Act intends to force vendors who sell hardware and software to allow the government to scan end-to-end encrypted communication on end devices. We once again marvel at governments seeking to undermine the security of their own citizens.
Root Causes 605: Chrome Declares Its Support for Merkle Tree Certificates (MTC)
Google has taken a strong position supporting Merkle Tree Certificates (MTC) as the PQC-enabled future for SSL / TLS. We unpack this extremely important position from the WebPKI's most influential organization.
Root Causes 604: Accelerated Timeline for Quantum Computers Breaking ECC in Crypto and Blockchain
A new paper from Google Quantum AI and others documents a new technique for breaking ECC, particularly the curve protecting crypto currencies, smart contracts, and blockchain. This accelerates post quantum cryptography (PQC) timelines.
Root Causes 603: Cryptographically Relevant Quantum Computing (CRQC) with Only 10,000 Qubits
New research suggests that a cryptographically relevant quantum computer is achievable with only 10,000 qubits. This was an important contributor to Google moving its PQC target to 2029.
Root Causes 602: Google Moves the PQC Date Forward to 2029
Google has announced that it is moving its target for full PQC support to 2029. This is a strong statement from one of the most knowledgeable PQC technology companies that the existing 2030 target is too late.
Root Causes 601: The Zombie in the Server Room
Legacy PKI implementations in the enterprise are holding back technical progress and creating security risk. We discuss reasons why, consequences, and what to do about it.
Root Causes 600: Cryptographic Design Is Not Neutral
In our previous episode we defined cryptography as the new geopolitics. Now in our 600th episode we follow up to explain how all cryptographic decisions reflect the social, political, and legal viewpoints of the cryptography's designers.
Root Causes 599: Cryptography Is the New Geopolitics
In the last decade or so, nations around the world have become keenly determined to use cryptography for their own legal, economic, and military advantage. We explore this concept.
Root Causes 598: Why Johnny Can't authN in OT
A recent CISA report declares that the nation's OT infrastructure is incapable of keeping up with the crypto agility and certificate management needs that modern security demands. We examine this finding.
Root Causes 597: If You Don't Hold the Keys, You Don't Hold the Subpoenas
Microsoft has publicly stated that it will hand over Bitlocker keys to US law enforcement agencies without requiring a subpoena or court order. These keys can be held by users rather than Microsoft, at their option. We dive into this topic.
Root Causes 596: CLM and Operational Uptime
We usually think of Certificate Lifecycle Management (CLM) as a security category. But we could equally well categorize it as an operations category that enables uptime. In this episode we make our case.
Root Causes 595: What Is a Digital Parasite?
We introduce the concept of a "digital parasite," explaining why this attack philosophy appears to be on the rise.
Root Causes 594: Google's Five PQC Recommendations for Policy Makers
In a recent blog post Google made five recommendations for policy makers. We walk down the list.
Root Causes 593: New PQC Guidance from CISA
CISA (Cybersecurity and Infrastructure Security Agency) has released new guidance about post-quantum cryptography in critical infrastructure, including some very sobering warnings. We go into the details.
Root Causes 592: When a CAA Record Outlives the CA
CAA records exist to restrict issuing CAs for a given domain to as few as one CA. But what happens when the CAA record outlives the CA to which it restricts issuance? Join us to find out.
Root Causes 591: Client Authentication Deprecation Date Moves Out
Chrome's deadline for deprecation of the clientAuth EKU and mTLS in public certificates has moved out. We give you the what, when, and why.
Root Causes 590: The Size of the CA Is Not the Size of the Risk
It would be easy to believe that the amount of risk posed to the WebPKI by any individual public CA is somehow proportional to the number of active certificates that CA has. This is false, however. In this episode we address this misconception.
Root Causes 589: Is a Cryptographically Relevant Quantum Computer Economically Viable?
We recently heard the argument that it's simply too expensive to develop a cryptographically relevant quantum computer. We vehemently disagree. In this episode we explain why.
Root Causes 588: It's Cryptographic Frogger from Here on Out
In this episode Tim explains that the transition to PQC is not just a change in cryptographic algorithms but also a fundamental shift in how we treat our cryptography. From here on out, IT systems need to be fundamentally crypto agile in a way we've never had to be before. Cryptographic Agility is the key to solve this problem.
Root Causes 587: AI Orchestration for Attackers
YouTube video version of this episode
https://youtu.be/-wMy3rPV1Lg
Root Causes 586: Beyond Harvest Now Decrypt Later
We expand on the concept of trust-now-forge-later to list a whole bevy of additional attacks that eventually will be enabled by cryptographically relevant quantum computers.
Root Causes 585: The Cryptographic Inventory Manifesto
We all love a good manifesto! Jason spells out the ten principles of the Cryptographic Inventory Manifesto, and we discuss.
Root Causes 584: Mapping DORA to CLM
We look at the new European DORA and NIS2 regulations and how Certificate Lifecycle Management is a key requirement to meet these requirements. You will be surprised how explicit these requirements are.
Root Causes 583: AI Versus ECC P 256
Recorded in Ottawa Ontario.
Root Causes 582: New Research Drastically Cuts Number of Qubits for Cryptographic Relevance
New research indicates that the number of qubits necessary to achieve cryptographic relevance has reduced by two orders of magnitude. We cover this breaking news and its implications.
Root Causes 581: A Timeline for Deprecation of Manual DCV Methods
By CABF ballot all manual methods of Domain Control Validation (DCV) will be deprecated by 2028. We explain which methods are due for deprecation and when.
Root Causes 580: Top Use Cases for Hybrid Certificates
We go over the qualities in abstract of a use case that strongly invites the use of hybrid certificates and then run down a list of specific use cases that meet these criteria. This includes OT systems, code signing, secure boot, WiFi, enterprise S/MIME, and more.
Root Causes 579: Make Cryptography Boring Again
In this episode Jason declares that we must make cryptography boring again. We get into what that means and why it matters.
Root Causes 578: 200 Days Won't Actually Be 200 Days
We have seen much talk of the upcoming drop of maximum TLS term to 200 days, followed by 100 days, and eventually down to 47 days. It happens that all those numbers are too large and the actual maxima will be less than that. We explain.
Root Causes 577: All the Stuff That's Coming in March
March 2026 is due to be the most eventful month in the history of the WebPKI. Join us as we go over all the many changes coming next month.
Root Causes 576: Jeffries Dumps Bitcoin Due to the Quantum Threat
A large investment firm divests from Bitcoin for fear of the quantum threat.
Root Causes 575: Shortening Certificate Term - All the Dates
Everybody knows about March 15 and the drop in maximum public TLS certificate term to 200 days. But that only scratches the surface on key dates with this maximum term reduction. Join us as we go over "all the dates" for TLS maximum term reduction.
Root Causes 574: 2025 Predictions Scorecard - Part 2
We score our 2025 predictions in this second of two parts.
Root Causes 573: 2025 Predictions Scorecard - Part 1
Every new year we make predictions for the year to come, and every year we go back and see how we did. This is the first of two parts scoring our 2025 predictions.
Root Causes 572: Quality of Entropy
We discuss the idea that not all cryptographic entropy is equally "random" and potential consequences.
Root Causes 571: Will There Ever Be a Cryptographically Relevant Quantum Computer?
We discuss the idea that it might be impossible to actually create a cryptographically relevant quantum computer and weigh in on this idea.
Root Causes 570: PQC Readiness at the Boardroom Level
Repeat guest Chris McGrath shares what enterprises need to be doing now to stay on track for the NIST PQC deadline in 2030.
Root Causes 569: New Regulations Are Changing the PKI Landscape
Repeat guest Chris McGrath joins us to discuss how increasingly strict regulations are requiring increased rigor, visibility, and auditability for enterprise digital certificates and PKI.
Root Causes 568: Upping Your Certificate Game for Better Security
Senior cyber security advisor Chris McGrath joins us to discuss redefining digital certificates and their role in your organizational security profile, increasing regulation of certificates, and how enterprises can up their certificate game.
Root Causes 567: Top 10 PQC Laggards in the Enterprise
We name the ten enterprise environments and use cases that are most likely to be late adopters of post quantum cryptography (PQC).
Root Causes 566: Time Is a Security Primitive
We discuss the foundational importance of time in PKI and security in general. This includes when things happen, the order in which things happen, and attacks based on time-spoofing. We drill down on certificates, roots, timestamping, Certificate Transparency, patching, audits, and PQC.
Root Causes 565: Our Response to QWAC Arguments - Part 3
In our concluding episode on the topic, we scrutinize arguments made for and against QWACs, this time focused on "compliance and interoperability."
Root Causes 563: Our Response to QWAC Arguments - Part 1
As a follow up to our episode 546, we break down the first of three sets of arguments about QWACs and examine their level of validity.
Root Causes 564: Our Response to QWAC Arguments - Part 2
In our second of three episodes on the topic, we scrutinize arguments made for and against QWACs, this time focused on "governance and sovereignty."
Root Causes 562 : What Is a Side Oracle Attack?
You may have heard of side channel attacks. Now Jason explains what a side oracle attack is and how a side oracle attack in conjunction with AI could be effective against the HQC or Falcon PQC algorithms.
Root Causes 561: What Is Classic McEliece?
One of the NIST Round 3 PQC finalists that was never selected or eliminated is Classic McEliece. In this episode we explain in non-math terms how this algorithm works.
Root Causes 560: AI in 1000 Days - Small Language Models
Continuing our examination of AI in 1000 days, we discuss the use of finely tuned small language models for highly specific use cases.
Root Causes 559: AI in 1000 days - Content Quality
We discuss what happens when the quality gap between AI-generated and human-generated content drops to zero. We explore the consequences of this inevitable outcome.
Root Causes 558: AI in 1000 days - Human-in-the-loop Economy
In our ongoing series on what AI will look like in 1000 days, we discuss the spread of a new business process, where AIs do the bulk of the work while humans sit in the loop for certain specific tasks and roles.
Root Causes 557: Top 5 PQC Laggards
Following up on our list of top 5 PQC vanguards, in this episode we detail the top 5 PQC laggards.
Root Causes 556: Top 5 PQC Vanguards
We describe the top five technology categories that are on the vanguard of driving PQC adoption. We describe what these categories have in common and how that results in early adoption of post quantum cryptography.
Root Causes 555: Perpretrators of Rogue Certificates
We detail the top ten groups inside the organization who introduce rogue certificates into IT organizations.
Root Causes 554: Disentangling Quantum
Tech watchers tend to conflate the many quantum technologies under development right now. In this episode we go through these technologies and explain how they connect.
Root Causes 553: Connecting Quantum Clocks to Cryptography
We discuss quantum clocks and their potential role in cryptography.
Root Causes 552: 2026 Predictions
We share our PKI predictions for 2026. Topics include PQC, eIDAS 2, CT logging, ACME, passkeys, CA distrust, AI model poisoning, and new attack vectors.
Root Causes 551: PKI in a Swarm at 50 mph
Jason explores the role cryptography and trust systems play in the command and control of groups of autonomous drone systems.
Root Causes 550: WebPKI Certificate Lifespan - How Low Can You Go?
Certificate maximum term is shrinking. In this episode we examine exactly how short they could get.
Root Causes 549: AI 1000 Days from Now - the Defeat of Voice Authentication
In our ongoing series on AI in 1000 days, we describe the inevitable, complete distrust of voice printing as an authentication method, including why and what we think will happen.
Recommended
10 Minutes with Jesus
10 Minute Teacher Podcast with Cool Cat Teacher
10 minutos con Jesús
10th Floor Podcasts
10 to Life
1128 MINISTRY
11 O'Clock Comics Podcast
123 GO! Food
1-2-3 Learn Spanish with Me!
128 Civics Questions for U.S. Citizenship Test
12 Hour Sound Machines for Sleep (no loops or fades)
#12minconvos
