Root Causes: A PKI and Security Podcast
Episodes
Root Causes 606: What Is the UK Online Safety Act?
17 Apr 2026
Contributed by Lukas
The UK Online Safety Act intends to force vendors who sell hardware and software to allow the government to scan end-to-end encrypted communication on...
Root Causes 605: Chrome Declares Its Support for Merkle Tree Certificates (MTC)
15 Apr 2026
Contributed by Lukas
Google has taken a strong position supporting Merkle Tree Certificates (MTC) as the PQC-enabled future for SSL / TLS. We unpack this extremely importa...
Root Causes 604: Accelerated Timeline for Quantum Computers Breaking ECC in Crypto and Blockchain
13 Apr 2026
Contributed by Lukas
A new paper from Google Quantum AI and others documents a new technique for breaking ECC, particularly the curve protecting crypto currencies, smart c...
Root Causes 603: Cryptographically Relevant Quantum Computing (CRQC) with Only 10,000 Qubits
10 Apr 2026
Contributed by Lukas
New research suggests that a cryptographically relevant quantum computer is achievable with only 10,000 qubits. This was an important contributor to G...
Root Causes 602: Google Moves the PQC Date Forward to 2029
08 Apr 2026
Contributed by Lukas
Google has announced that it is moving its target for full PQC support to 2029. This is a strong statement from one of the most knowledgeable PQC tec...
Root Causes 601: The Zombie in the Server Room
06 Apr 2026
Contributed by Lukas
Legacy PKI implementations in the enterprise are holding back technical progress and creating security risk. We discuss reasons why, consequences, an...
Root Causes 600: Cryptographic Design Is Not Neutral
03 Apr 2026
Contributed by Lukas
In our previous episode we defined cryptography as the new geopolitics. Now in our 600th episode we follow up to explain how all cryptographic decisi...
Root Causes 599: Cryptography Is the New Geopolitics
01 Apr 2026
Contributed by Lukas
In the last decade or so, nations around the world have become keenly determined to use cryptography for their own legal, economic, and military advan...
Root Causes 598: Why Johnny Can't authN in OT
30 Mar 2026
Contributed by Lukas
A recent CISA report declares that the nation's OT infrastructure is incapable of keeping up with the crypto agility and certificate management needs ...
Root Causes 597: If You Don't Hold the Keys, You Don't Hold the Subpoenas
27 Mar 2026
Contributed by Lukas
Microsoft has publicly stated that it will hand over Bitlocker keys to US law enforcement agencies without requiring a subpoena or court order. These ...
Root Causes 596: CLM and Operational Uptime
25 Mar 2026
Contributed by Lukas
We usually think of Certificate Lifecycle Management (CLM) as a security category. But we could equally well categorize it as an operations category t...
Root Causes 595: What Is a Digital Parasite?
23 Mar 2026
Contributed by Lukas
We introduce the concept of a "digital parasite," explaining why this attack philosophy appears to be on the rise.
Root Causes 594: Google's Five PQC Recommendations for Policy Makers
18 Mar 2026
Contributed by Lukas
In a recent blog post Google made five recommendations for policy makers. We walk down the list.
Root Causes 592: When a CAA Record Outlives the CA
13 Mar 2026
Contributed by Lukas
CAA records exist to restrict issuing CAs for a given domain to as few as one CA. But what happens when the CAA record outlives the CA to which it res...
Root Causes 593: New PQC Guidance from CISA
11 Mar 2026
Contributed by Lukas
Root Causes 591: Client Authentication Deprecation Date Moves Out
11 Mar 2026
Contributed by Lukas
Root Causes 590: The Size of the CA Is Not the Size of the Risk
10 Mar 2026
Contributed by Lukas
It would be easy to believe that the amount of risk posed to the WebPKI by any individual public CA is somehow proportional to the number of active ce...
Root Causes 589: Is a Cryptographically Relevant Quantum Computer Economically Viable?
06 Mar 2026
Contributed by Lukas
We recently heard the argument that it's simply too expensive to develop a cryptographically relevant quantum computer. We vehemently disagree. In thi...
Root Causes 588: It's Cryptographic Frogger from Here on Out
04 Mar 2026
Contributed by Lukas
In this episode Tim explains that the transition to PQC is not just a change in cryptographic algorithms but also a fundamental shift in how we treat ...
Root Causes 587: AI Orchestration for Attackers
02 Mar 2026
Contributed by Lukas
Jason describes a recent intrusion almost entirely operated by off-the-shelf AI tools. This is an important milestone in security. We describe its p...
Root Causes 586: Beyond Harvest Now Decrypt Later
27 Feb 2026
Contributed by Lukas
We expand on the concept of trust-now-forge-later to list a whole bevy of additional attacks that eventually will be enabled by cryptographically rele...
Root Causes 585: The Cryptographic Inventory Manifesto
25 Feb 2026
Contributed by Lukas
We all love a good manifesto! Jason spells out the ten principles of the Cryptographic Inventory Manifesto, and we discuss.
Root Causes 585: The Cryptographic Inventory Manifesto
24 Feb 2026
Contributed by Lukas
We all love a good manifesto! Jason spells out the ten principles of the Cryptographic Inventory Manifesto, and we discuss.
Root Causes 584: Mapping DORA to CLM
23 Feb 2026
Contributed by Lukas
We look at the new European DORA and NIS2 regulations and how Certificate Lifecycle Management is a key requirement to meet these requirements. You w...
Root Causes 584: Mapping DORA to CLM
23 Feb 2026
Contributed by Lukas
We look at the new European DORA and NIS2 regulations and how Certificate Lifecycle Management is a key requirement to meet these requirements. You wi...
Root Causes 583: AI Versus ECC P 256
21 Feb 2026
Contributed by Lukas
In an innovative application, an AI has been used to find private keys for ECC (Elliptic Curve Cryptography) P 256. We explain how.
Root Causes 583: AI Versus ECC P 256
20 Feb 2026
Contributed by Lukas
Recorded in Ottawa Ontario.
Root Causes 582: New Research Drastically Cuts Number of Qubits for Cryptographic Relevance
17 Feb 2026
Contributed by Lukas
New research indicates that the number of qubits necessary to achieve cryptographic relevance has reduced by two orders of magnitude. We cover this b...
Root Causes 581: A Timeline for Deprecation of Manual DCV Methods
15 Feb 2026
Contributed by Lukas
By CABF ballot all manual methods of Domain Control Validation (DCV) will be deprecated by 2028. We explain which methods are due for deprecation and...
Root Causes 580: Top Use Cases for Hybrid Certificates
13 Feb 2026
Contributed by Lukas
We go over the qualities in abstract of a use case that strongly invites the use of hybrid certificates and then run down a list of specific use cases...
Root Causes 579: Make Cryptography Boring Again
10 Feb 2026
Contributed by Lukas
In this episode Jason declares that we must make cryptography boring again. We get into what that means and why it matters.
Root Causes 578: 200 Days Won't Actually Be 200 Days
09 Feb 2026
Contributed by Lukas
We have seen much talk of the upcoming drop of maximum TLS term to 200 days, followed by 100 days, and eventually down to 47 days. It happens that al...
Root Causes 577: All the Stuff That's Coming in March
06 Feb 2026
Contributed by Lukas
March 2026 is due to be the most eventful month in the history of the WebPKI. Join us as we go over all the many changes coming next month.
Root Causes 576: Jeffries Dumps Bitcoin Due to the Quantum Threat
04 Feb 2026
Contributed by Lukas
A large investment firm divests from Bitcoin for fear of the quantum threat.
Root Causes 575: Shortening Certificate Term - All the Dates
02 Feb 2026
Contributed by Lukas
Everybody knows about March 15 and the drop in maximum public TLS certificate term to 200 days. But that only scratches the surface on key dates with...
Root Causes 574: 2025 Predictions Scorecard - Part 2
30 Jan 2026
Contributed by Lukas
We score our 2025 predictions in this second of two parts.
Root Causes 573: 2025 Predictions Scorecard - Part 1
28 Jan 2026
Contributed by Lukas
Every new year we make predictions for the year to come, and every year we go back and see how we did. This is the first of two parts scoring our 202...
Root Causes 572: Quality of Entropy
26 Jan 2026
Contributed by Lukas
We discuss the idea that not all cryptographic entropy is equally "random" and potential consequences.
Root Causes 571: Will There Ever Be a Cryptographically Relevant Quantum Computer?
23 Jan 2026
Contributed by Lukas
We discuss the idea that it might be impossible to actually create a cryptographically relevant quantum computer and weigh in on this idea.
Root Causes 570: PQC Readiness at the Boardroom Level
21 Jan 2026
Contributed by Lukas
Repeat guest Chris McGrath shares what enterprises need to be doing now to stay on track for the NIST PQC deadline in 2030.
Root Causes 569: New Regulations Are Changing the PKI Landscape
19 Jan 2026
Contributed by Lukas
Repeat guest Chris McGrath joins us to discuss how increasingly strict regulations are requiring increased rigor, visibility, and auditability for ent...
Root Causes 568: Upping Your Certificate Game for Better Security
16 Jan 2026
Contributed by Lukas
Senior cyber security advisor Chris McGrath joins us to discuss redefining digital certificates and their role in your organizational security profile...
Root Causes 567: Top 10 PQC Laggards in the Enterprise
14 Jan 2026
Contributed by Lukas
We name the ten enterprise environments and use cases that are most likely to be late adopters of post quantum cryptography (PQC).
Root Causes 566: Time Is a Security Primitive
12 Jan 2026
Contributed by Lukas
We discuss the foundational importance of time in PKI and security in general. This includes when things happen, the order in which things happen, and...
Root Causes 565: Our Response to QWAC Arguments - Part 3
09 Jan 2026
Contributed by Lukas
In our concluding episode on the topic, we scrutinize arguments make for and against QWACs, this time focused on "compliance and interoperability."
Root Causes 564: Our Response to QWAC Arguments - Part 2
07 Jan 2026
Contributed by Lukas
In our second of three episodes on the topic, we scrutinize arguments make for and against QWAKs, this time focused on "governance and sovereignty."
Root Causes 563: Our Response to QWAC Arguments - Part 1
05 Jan 2026
Contributed by Lukas
As a follow up to our episode 546, we break down the first of three sets of arguments about QWACs and examine their level of validity.
Root Causes 562 : What Is a Side Oracle Attack?
30 Dec 2025
Contributed by Lukas
You may have heard of side channel attacks. Now Jason explains what a side oracle attack is and how a side oracle attack in conjunction with AI could ...
Root Causes 561: What Is Classic McEliece?
23 Dec 2025
Contributed by Lukas
One of the NIST Round 3 PQC finalists that was never selected or eliminated is Classic McEliece. In this episode we explain in non-math terms how this...
Root Causes 560: AI in 1000 Days - Small Language Models
18 Dec 2025
Contributed by Lukas
Continuing our examination of AI in 1000 days, we discuss the use of finely tuned small language models for highly specific use cases.
Root Causes 559: AI 1000 days - Content Quality
17 Dec 2025
Contributed by Lukas
We discuss what happens when the quality gap between AI-generated and human-generated content drops to zero. We explore the consequences of this inev...
Root Causes 558: AI in 1000 days - Human-in-the-loop Economy
15 Dec 2025
Contributed by Lukas
In our ongoing series on what AI will look like in 1000 days, we discuss the spread of a new business process, where AIs do the bulk of the work while...
Root Causes 557: Top 5 PQC Laggards
12 Dec 2025
Contributed by Lukas
Following up on our list of top 5 PQC vanguards, in this episode we detail the top 5 PQC laggards.
Root Causes 556: Top 5 PQC Vanguards
10 Dec 2025
Contributed by Lukas
We describe the top five technology categories that are on the vanguard of driving PQC adoption. We describe what these categories have in common and...
Root Causes 555: Perpretrators of Rogue Certificates
08 Dec 2025
Contributed by Lukas
We detail the top ten groups inside the organization who introduce rogue certificates into IT organizations.
Root Causes 554: Disentangling Quantum
05 Dec 2025
Contributed by Lukas
Tech watchers tend to conflate the many quantum technologies under development right now. In this episode we go through these technologies and expla...
Root Causes 553: Connecting Quantum Clocks to Cryptography
03 Dec 2025
Contributed by Lukas
We discuss quantum clocks and their potential role in cryptography.
Root Causes 552: 2026 Predictions
01 Dec 2025
Contributed by Lukas
We share our PKI predictions for 2026. Topics include PQC, eIDAS 2, CT logging, ACME, passkeys, CA distrust, AI model poisoning, and new attack vector...
Root Causes 551: PKI in a Swarm at 50 mph
24 Nov 2025
Contributed by Lukas
Jason explores the role cryptography and trust systems play in the command and control of groups of autonomous drone systems.
Root Causes 550: WebPKI Certificate Lifespan - How Low Can You Go?
21 Nov 2025
Contributed by Lukas
Certificate maximum term is shrinking. In this episode we examine exactly how short they could get.
Root Causes 549: AI 1000 Days from Now - the Defeat of Voice Authentication
19 Nov 2025
Contributed by Lukas
In our ongoing series on AI in 1000 days, we describe the inevitable, complete distrust of voice printing as an authentication method, including why a...
Root Causes 548: AI 1000 Days from Now - Emotional Intelligence
17 Nov 2025
Contributed by Lukas
We begin a new series about what we expect from AI in the next three years. In this episode we discuss AI emulating emotional intelligence and its be...
Root Causes 547: Should We Do Mass Revocation Fire Drills?
14 Nov 2025
Contributed by Lukas
In this episode we discuss the value for enterprises in running mass revocation drills and compare the merits of tabletop exercises versus voluntary r...
Root Causes 546: New Research Codifies Arguments for and Against QWACs
11 Nov 2025
Contributed by Lukas
We are joined by guests Pol Holzmer and Johannes Sedlmeir to describe their recent research that documents and organizes public arguments made about Q...
Root Causes 545: What Is MOSH?
10 Nov 2025
Contributed by Lukas
The MOSH tool aids the use of SSH-secured sessions, especially across different systems. Jason unpacks the security of this system and how it uses enc...
Root Causes 543: AI Finds a Zero Day
05 Nov 2025
Contributed by Lukas
We have seen the first known instance of an AI tool discovering a zero-day vulnerability. This could have vast implications on vulnerability detectio...
Root Causes 544: What Is Chain of Lure?
05 Nov 2025
Contributed by Lukas
Chain of lure is an attack method used to circumvent restrictions and boundaries placed on AIs. Jason explains this attack and its implications.
Root Causes 542: Use Cases for HQC
02 Nov 2025
Contributed by Lukas
In this episode we go over some of the reasons one might choose HQC over ML-KEM as a PQC key exchange algorithm for specific circumstances. And we dis...
Root Causes 541: Introducing the HQC PQC Algorithm
31 Oct 2025
Contributed by Lukas
NIST recently selected a second Key Exchange Module (KEM) among the PQC algorithms, HQC. We explain this code-based algorithm.
Root Causes 540: Contextual CBOM
27 Oct 2025
Contributed by Lukas
We define Cryptographic Bill of Materials (CBOM), which is more than a list of your cryptography and where it is. A CBOM need also include information...
Root Causes 539: What Is the Two-QWAC Architecture?
22 Oct 2025
Contributed by Lukas
A new kind of eIDAS QWAC (Qualifieid Website Authentication Certificate) is on the way. The "two-QWAC architecture" introduces a second certificate co...
Root Causes 538: What Is an Entropy Desert?
20 Oct 2025
Contributed by Lukas
An environment in which credentials are extremely predictable could be described as an entropy desert. There are occurring at a global scale. We discu...
Root Causes 537: The Thermodynamics of Privacy
17 Oct 2025
Contributed by Lukas
In this episode we build on our concept of entropy-aware guidance to explain how we might quantify privacy. We touch on GDPR, proof of work, and Landa...
Root Causes 536: Patent Blocker on ML-KEM
15 Oct 2025
Contributed by Lukas
A patent dispute in 2024 nearly blocked ML-KEM. But emerging thinking raises concern that the 2024 resolution did not guarantee full, clear access to...
Root Causes 535: The CPS Is a Superset of Actual Practices
12 Oct 2025
Contributed by Lukas
The CPS must always be a superset of actual practices in a properly running CA. We explain why this is a product of good design.
Root Causes 534: Signing the Machines That Think
10 Oct 2025
Contributed by Lukas
Imagine what happens if you use the wrong LLM, including a malicious model placed there to create mischief or crime. How do you know? Jason proposes...
Root Causes 533: Flexibility Through Multi-CA Trust Models
07 Oct 2025
Contributed by Lukas
We discuss how a static PKI structure can hurt corporate flexibility and resilience. Events like reorgs and M&A activity can cause intractable problem...
Root Causes 532: Introducing Offline PKI
02 Oct 2025
Contributed by Lukas
In this episode, Jason describes how we might use the principles of PKI in a purely offline scenario.
Root Causes 531: Benefits of Single-purpose Root Hierarchies
01 Oct 2025
Contributed by Lukas
Public certificates are transitioning from multi-purpose root hierarchies to single-purpose ones. We discuss why.
Root Causes 530: Introducing the AI Iceberg
29 Sep 2025
Contributed by Lukas
We compare AI in 2025 to Internet in 1995 and describe the AI iceberg, including the majority of applications which are below the waterline.
Root Causes 529: What Is a Common Mark Certificate?
24 Sep 2025
Contributed by Lukas
Verified Mark Certificates (VMC) now have a companion product for logos that are not registered trademarks, called a Common Mark Certificate (CMC). We...
Root Causes 528: Misissued SSL Certificate for 1.1.1.1
17 Sep 2025
Contributed by Lukas
A CA has incorrectly issued TLS certificates for the 1.1.1.1 and 2.2.2.2 IP addresses. We go into the details.
Root Causes 527: Key Dates for the Deprecation of Public mTLS
15 Sep 2025
Contributed by Lukas
Client authentication using public TLS server certificates is on the deprecation path. In this episode we go through the key dates in this deprecatio...
Root Causes 526: Voice Biometrics Are Worthless
12 Sep 2025
Contributed by Lukas
Based on the ready availability of AI-based voice cloning, we declare voice biometric authentication to be utterly valueless.
Root Causes 525: The End of Email-based DCV
10 Sep 2025
Contributed by Lukas
A new CABF ballot proposal will eliminate all email- and phone-based DCV over the next few years. We go into the details.
Root Causes 524: How to Kill Three Birds with One Stone
08 Sep 2025
Contributed by Lukas
Three major changes are coming to the world of public certificates, all of which require major changes in how organizations deploy, renew, and manage ...
Root Causes 523: Will Your Configuration Block MPIC DCV?
03 Sep 2025
Contributed by Lukas
MPIC (Multi-perspective Issuance Corroboration) is soon to move into enforcement phase. In this episode we describe three configuration decisions that...
Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)
27 Aug 2025
Contributed by Lukas
We complete our description and commentary on the results of Sectigo's survey of enterprise preparedness for Post Quantum Cryptography (PQC).
Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)
22 Aug 2025
Contributed by Lukas
We begin to go over the results of Sectigo's recent survey of enterprises and their preparedness and plans for adopting Post Quantum Cryptography (PQC...
Root Causes 520: How Prepared Are IT Teams for 47-day Certificates?
20 Aug 2025
Contributed by Lukas
Sectigo has released the results of its survey of IT professionals in charge of certificates to measure their readiness and preparation for 47-day max...
Root Causes 519: AI Is the Room
18 Aug 2025
Contributed by Lukas
AI is not the elephant in the room. It is the room itself. Jason explains what he means by that.
Root Causes 518: NCSC Lukewarm on FIDO WebAuthn
13 Aug 2025
Contributed by Lukas
Britain's National Cyber Security Centre recently issued a lukewarm verdict on passkeys as an authentication solution. We explore the problems with W...
Root Causes 517: The Cost of Quantum Factoring
25 Jul 2025
Contributed by Lukas
Jason walks us through an important recent paper from Google tracking the cost of quantum factoring.
Root Causes 516: PQC for ADCS
21 Jul 2025
Contributed by Lukas
Microsoft has finally announced that it will offer an update to Active Directory Certificate Services (ADCS, formerly MSCA) to support post quantum cr...
Root Causes 515: What Is Entropy-aware Governance?
18 Jul 2025
Contributed by Lukas
Jason coins the term "entropy-aware governance" to describe the idea of using the degree of entropy it contains to measure the strength of any given s...
Root Causes 514: Diary of an Online Firestorm
16 Jul 2025
Contributed by Lukas
Tim describes how the addition of an item to the CABF face-to-face meeting agenda blew up into a panicked and outraged online thread. We discuss what...
Root Causes 513: Is Revocation the Best Remedy for CPS Misalignment?
14 Jul 2025
Contributed by Lukas
We continue our discussion of CPS misalignment by discussing the reasons for revocation as a remedy, its disadvantages, and the possibility of another...
Root Causes 512: CPS Versus Practices Misalignment
11 Jul 2025
Contributed by Lukas
We examine the circumstance where otherwise allowed practices are out of alignment with the stated practices in the relevant CPS. We discuss CA transp...
Root Causes 511: The GoML Root Store
05 Jul 2025
Contributed by Lukas
We follow up on our discussion of the Get off My Lawn (GoTM) browser with Jason's adventure in creating his own custom root store.
Root Causes 510: Introducing the GoML Browser
26 Jun 2025
Contributed by Lukas
We discuss Jason's code vibing journey to create the Get Off My Lawn! (GoTM) browser. We discuss SSL certificate information, EV indicators, and cooki...