Listen Now

This December will see a meaningful change in how CAs are allowed to conduct Domain Control Validation (DCV) using the method known as https token or file authentication or agreed up on change to web site. This method will be removed as an option for "domain spaces" including wildcards and subdomains. Join our hosts as they explain how DCV works and how the rules are changing and why. And we clarify the available options for those changing their preferred DCV methods.

The PetitPotam attack against Microsoft CA has garnered a lot of attention. Our hosts describe this attack and define related terms like Mimikatz, pass-the-hash, and NTLM Relay. The episode goes on to give a roadmap for mitigating this attack , including free resources available to help defend against PetitPotam.

Regular followers of this podcast hear a great deal about SSL, the CA/Browser Forum, and the standards governing public SSL. But SSL is not the only regulated type of public digital certificate. There are also things like S/MIME, eIDAS, code signing, document signing, and SSH certificates. In this episode our hosts discuss these "other" certificate types and the rules and regulations governing them.

In this episode our hosts go through the various ways in which cryptocurrency can be stolen or lost, including private key compromise, security failures at cryptocurrency brokers, and theft of login credentials. Our hosts also discuss how manipulation of the public ledger could also lead to unfair distribution of cryptocurrency value.

A hot, new topic in the identity space is passwordless. Join our hosts as they explain credential form factors and offer a specific definition of passwordless, including the difference between PINs and passwords.

Sectigo is implementing an important change to its public-facing SSL certificate business, which we call State-Locality Exclusivity. This change removes a the localityName field, a very common field in SSL certificates. In this episode our hosts explain what the localityName field is, why we are removing it, and how this change is to the benefit of SSL Subscribers and Relying Parties.

Linters have been a standard programming tool for more than four decades. This venerable coding tool has recently taken on new significant in the world of public certificates. In this episode our hosts explain linters and how they are applied to SSL certificates.

Microsoft has announced that its upcoming Windows 11 release will require TPM 2.0 support at a minimum. TPM 2.0 enables more modern hashing and encryption algorithms than previous versions. Our hosts discuss the implications of this announcement.

Whitelisting and blocklisting are tried and true elements of the computer industry. In this episode our hosts define whitelisting and blocklisting and the pros and cons of either, with lots of examples from the real world. We discuss fuzzy entities, the scaling problem, layered defenses, and the trouble with active attackers.

If you have paid any attention at all to popular media in the past few months, you will have heard about non-fungible tokens, or NFTs. NFTs are a method of uniquely identifying a digital asset using blockchain technology, and they are big news in the art and media world. Join our hosts as they explain the difference between fungible and non-fungible tokens, how NFTs work, and the significance of publicly asserting ownership for digital files.

Today our hosts explore an esoteric but important error in public certificates that we call the off-by-one-second problem. We explain this problem, how it occurs, and its broader implications.

In celebration of Canada Day, our hosts discuss why Canada in particular offers a disproportionately large contribution to cryptography. We examine historic reasons and the real-world consequences of Canada being a center for cryptographic excellence.

In the developing story of the Colonial pipeline ransomware attack, the FBI recently recovered the ransom money, which had been paid in Bitcoin. In this episode we talk about how this recovery might have occurred.

In our technology discussions we frequently run into confusion about the relationship between electronic document signing and digital document signing. Despite the similarity in names, they are entirely different technological approaches to providing trustworthy electronic signed documents. In this episode we explain the two terms, their distinct definitions, and some of the pros and cons of each approach.

The recent ransomware attack against the Colonial pipeline has captured the news cycles in recent weeks. In this first episode of two our hosts begin to unpack what it known about this attack and how digital identity and PKI fit in.

Of all aspects of public SSL certificates, few are as controversial as the OU field. Standing for Organizational Unit, this field is beloved by a few enterprises and hated by security watchers. It's also under fire in the CA/Browser Forum. Join our hosts as they explain the history of the OU field and why it's an industry flashpoint, including their predictions for the future of the OU field.

In our ongoing examination of blockchain, we define proof of work and proof of stake as consensus algorithms for updating the public ledger. We explain their differences and get into the problems with proof of work and the reasons proof of stake is emerging as a promising new consensus algorithm. We touch on the consequences of these algorithms on other aspects of society as well.

In our ongoing series of episodes on MFA, we explore the plusses and minuses of out-of-band phone calling. Our hosts explain how this form of MFA works, what attacks it defends against successfully, and what attacks can circumvent it.

PKI stands for Public Key Infrastructure. In this episode we focus on the word infrastructure. Our hosts discuss the key qualities of credential form factors, how they are separate and distinct from the infrastructure surrounding them, and the minimum capabilities necessary to refer to a public-private key system as PKI.

In a recent interview Tim Cook took a strong stance against application sideloading as a danger to mobile devices. In this episode we explain sideloading, its potential dangers, and the underlying motivators behind the sideloading debate.