Jason coins the term "entropy-aware governance" to describe the idea of using the degree of entropy it contains to measure the strength of a secret. This could be an objective, consistent metric that could be applied to standard practices and requirements.

Tim describes how the addition of an item to the CABF face-to-face meeting agenda blew up into a panicked and outraged online thread. We discuss what a more functional response would have looked like.

We continue our discussion of CPS misalignment by discussing the reasons for revocation as a remedy, its disadvantages, and the possibility of another solution that provides the same benefits at less cost.

We examine the circumstance where otherwise allowed practices are out of alignment with the stated practices in the relevant CPS. We discuss CA transparency and accountability, increased scrutiny of the CPS, and mass revocation.

We follow up on our discussion of the Get off My Lawn (GoTM) browser with Jason's adventure in creating his own custom root store.

We discuss Jason's code vibing journey to create the Get Off My Lawn! (GoTM) browser. We discussion SSL certificate information, EV indicators, and cookie handling.

We define CPS (Certificate Practices Statement) and explain the role it plays in both the WebPKI and private CAs.

"Code vibing" is using generative AI to create or improve working code. We share Jason's adventure using code vibing to create his own web browser.

The first CA distrust event of 2025 comes with two simultaneous CA distrusts. We give you the details.

For the first time ever, Jason and I record an episode from the floor of the CA/Browser Forum face-to-face meeting. We recap the themes of this meeting, and Jason gives his first impressions of a CABF Face-to-face.

In this episode we explain the potential for future quantum computers to break files signed today with RSA or ECC, called "Trust now, forge later.".

Jason programs a quantum computer! Jason describes his recent experience using Amazon Braket.

We explain the difference between two strategies of PQC implementation, which we call hybrid and composite.

In this episode Jason explains the fallacy of "playing chicken" with the Quantum Apocalypse. We discuss stack ranking and "eyes open" PQC risk decisions.

In this brief episode we explain why the problem that Shor's Algorithm poses to RSA and ECC can't be solved simply by increasing key size.

Wow. It's episode 500 of Root Causes. Jason and Tim talk about how the podcast has evolved in the past six years, how it has remained consistent, and the updates we're making to keep being a valuable resource for our listeners.

The recent Signal controversy highlights the importance of understanding what protections an E2EE messaging app provides, and what it does not.

The UK National Cyber Security Centre (NCSC) has released new PQC guidance. We take exception to the dates it gives and explain why.

Guest Sofia Celi (IETF, Brave) returns to discuss developments in post quantum cryptography. Sofia tells us about her candidate algorithm MAYO and what is happening with the NIST PQC onramp. We learn about KEM TLS and the status of PQC in IETF.

Gmail is now end-to-end encrypted for all recipients, regardless of the receiving client. We explain how Gmail accomplishes this trick.