Root Causes: A PKI and Security Podcast
Episodes
Root Causes 527: Key Dates for the Deprecation of Public mTLS
15 Sep 2025
Contributed by Lukas
Client authentication using public TLS server certificates is on the deprecation path. In this episode we go through the key dates in this deprecatio...
Root Causes 526: Voice Biometrics Are Worthless
12 Sep 2025
Contributed by Lukas
Based on the ready availability of AI-based voice cloning, we declare voice biometric authentication to be utterly valueless.
Root Causes 525: The End of Email-based DCV
10 Sep 2025
Contributed by Lukas
A new CABF ballot proposal will eliminate all email- and phone-based DCV over the next few years. We go into the details.
Root Causes 524: How to Kill Three Birds with One Stone
08 Sep 2025
Contributed by Lukas
Three major changes are coming to the world of public certificates, all of which require major changes in how organizations deploy, renew, and manage ...
Root Causes 523: Will Your Configuration Block MPIC DCV?
03 Sep 2025
Contributed by Lukas
MPIC (Multi-perspective Issuance Corroboration) is soon to move into enforcement phase. In this episode we describe three configuration decisions that...
Root Causes 522: How Prepared Are Enterprises for PQC? (Part 2)
27 Aug 2025
Contributed by Lukas
We complete our description and commentary on the results of Sectigo's survey of enterprise preparedness for Post Quantum Cryptography (PQC).
Root Causes 521: How Prepared Are Enterprises for PQC? (Part 1)
22 Aug 2025
Contributed by Lukas
We begin to go over the results of Sectigo's recent survey of enterprises and their preparedness and plans for adopting Post Quantum Cryptography (PQC...
Root Causes 520: How Prepared Are IT Teams for 47-day Certificates?
20 Aug 2025
Contributed by Lukas
Sectigo has released the results of its survey of IT professionals in charge of certificates to measure their readiness and preparation for 47-day max...
Root Causes 519: AI Is the Room
18 Aug 2025
Contributed by Lukas
AI is not the elephant in the room. It is the room itself. Jason explains what he means by that.
Root Causes 518: NCSC Lukewarm on FIDO WebAuthn
13 Aug 2025
Contributed by Lukas
Britain's National Cyber Security Centre recently issued a lukewarm verdict on passkeys as an authentication solution. We explore the problems with W...
Root Causes 517: The Cost of Quantum Factoring
25 Jul 2025
Contributed by Lukas
Jason walks us through an important recent paper from Google tracking the cost of quantum factoring.
Root Causes 516: PQC for ADCS
21 Jul 2025
Contributed by Lukas
Microsoft has finally announced that it will offer an update to Active Directory Certificate Services (ADCS, formerly MSCA) to support post quantum cr...
Root Causes 515: What Is Entropy-aware Governance?
18 Jul 2025
Contributed by Lukas
Jason coins the term "entropy-aware governance" to describe the idea of using the degree of entropy it contains to measure the strength of any given s...
Root Causes 514: Diary of an Online Firestorm
16 Jul 2025
Contributed by Lukas
Tim describes how the addition of an item to the CABF face-to-face meeting agenda blew up into a panicked and outraged online thread. We discuss what...
Root Causes 513: Is Revocation the Best Remedy for CPS Misalignment?
14 Jul 2025
Contributed by Lukas
We continue our discussion of CPS misalignment by discussing the reasons for revocation as a remedy, its disadvantages, and the possibility of another...
Root Causes 512: CPS Versus Practices Misalignment
11 Jul 2025
Contributed by Lukas
We examine the circumstance where otherwise allowed practices are out of alignment with the stated practices in the relevant CPS. We discuss CA transp...
Root Causes 511: The GoML Root Store
05 Jul 2025
Contributed by Lukas
We follow up on our discussion of the Get off My Lawn (GoTM) browser with Jason's adventure in creating his own custom root store.
Root Causes 510: Introducing the GoML Browser
26 Jun 2025
Contributed by Lukas
We discuss Jason's code vibing journey to create the Get Off My Lawn! (GoTM) browser. We discuss SSL certificate information, EV indicators, and cooki...
Root Causes 509: What Is a CPS?
25 Jun 2025
Contributed by Lukas
We define CPS (Certificate Practices Statement) and explain the role it plays in both the WebPKI and private CAs.
Root Causes 508: What Is Code Vibing?
23 Jun 2025
Contributed by Lukas
"Code vibing" is using generative AI to create or improve working code. We share Jason's adventure using code vibing to create his own web browser.
Root Causes 507: First Distrust of 2025
19 Jun 2025
Contributed by Lukas
The first CA distrust event of 2025 comes with two simultaneous CA distrusts. We give you the details.
Root Causes 506: Recap of CABF Face-to-face #65
17 Jun 2025
Contributed by Lukas
For the first time ever, Jason and I record an episode from the floor of the CA/Browser Forum face-to-face meeting. We recap the themes of this meeti...
Root Causes 505: Trust Now, Forge Later
13 Jun 2025
Contributed by Lukas
In this episode we explain the potential for future quantum computers to break files signed today with RSA or ECC, called "Trust now, forge later."
Root Causes 504: Jason Programs a Quantum Computer
10 Jun 2025
Contributed by Lukas
Jason describes his recent experience using Amazon Braket.
Root Causes 502: The PQC Game of Chicken
04 Jun 2025
Contributed by Lukas
In this episode Jason explains the fallacy of "playing chicken" with the Quantum Apocalypse. We discuss stack ranking and "eyes open" PQC risk decisi...
Root Causes 501: Why Increasing RSA Key Size Won't Solve the Quantum Problem
02 Jun 2025
Contributed by Lukas
In this brief episode we explain why the problem that Shor's Algorithm poses to RSA and ECC can't be solved simply by increasing key size.
Root Causes 500: OMG! 500 Episodes of Root Causes!
29 May 2025
Contributed by Lukas
Wow. It's episode 500 of Root Causes. Jason and Tim talk about how the podcast has evolved in the past six years, how it remains consistent, and the u...
Root Causes 499: Don't Blame Signal
27 May 2025
Contributed by Lukas
The recent Signal controversy highlights the importance of understanding what protections an E2EE messaging app provides, and what it does not.
Root Causes 498: UK NCSC PQC Guidance
23 May 2025
Contributed by Lukas
The UK National Cyber Security Centre (NCSC) has released new PQC guidance. We take exception to the dates it gives and explain why.
Root Causes 497: PQC Update with Sofia Celi
21 May 2025
Contributed by Lukas
Guest Sofia Celi (IETF, Brave) returns to talk about important developments in post quantum cryptography. Sofia tells us about her candidate algorithm...
Root Causes 496: E2EE Gmail
18 May 2025
Contributed by Lukas
Gmail is now end-to-end encrypted for all recipients, regardless of the receiving client. We explain how Gmail accomplishes this trick.
Root Causes 495: Trust Models and Post Quantum Cryptography
16 May 2025
Contributed by Lukas
We build on our Trust Models discussion to explore how organizations can structure their PKI for the transition to post quantum cryptography (PQC).
Root Causes 494: Introduction to Trust Models
13 May 2025
Contributed by Lukas
We explain the basics of trust models and compare various models including WebPKI, private CA, and consortium models.
Root Causes 493: Disentangling Public and Private Certificate Use Cases
07 May 2025
Contributed by Lukas
Changing root store requirements mean CAs must separate their root hierarchies for different certificate types. We explain why enterprises should cons...
Root Causes 492: When Mandatory Security Training Sucks
06 May 2025
Contributed by Lukas
In this episode we get excited about errors we see in mandatory security trainings.
Root Causes 491: RSA's Non-quantum Threat
01 May 2025
Contributed by Lukas
We are rejoined by Dr. Michele Mosca to explore the potential threat of RSA being broken even in the absence of a quantum computing attack.
Root Causes 490: Chrome and Chromium
28 Apr 2025
Contributed by Lukas
We define Chrome versus Chromium, explaining what each is and the difference between the two.
Root Causes 489: Does AI Nullify E2EE?
24 Apr 2025
Contributed by Lukas
Does AI kill end-to-end encryption? There is a contention that the presence of AI agents in the workstream will render your confidential information ...
Root Causes 488: CABF Face-to-Face Meeting Update
22 Apr 2025
Contributed by Lukas
We explain the major news items from the most recent CA/Browser Forum face-to-face meeting in Tokyo. Topics include MPIC, 47-day certificate term, and...
Root Causes 487: Security 2030
16 Apr 2025
Contributed by Lukas
Jason and I take a peek forward at what we imagine IT security looks like in 2030. Topics include PQC, ZTNA, "green zones," deep fakes, IoT, connecte...
Root Causes 486: 47-day Maximum Term Ballot Passes CABF
14 Apr 2025
Contributed by Lukas
Apple's ballot to step the maximum term for public SSL certificates down to 47 days has passed in the CA/Browser Forum. We explain.
Root Causes 485: What Is Open MPIC?
13 Apr 2025
Contributed by Lukas
Guest Dmitry Sharkov joins us to describe Open MPIC, the open-source project to help public CAs support MPIC.
Root Causes 484: Multi Good Factor Authentication
09 Apr 2025
Contributed by Lukas
We define multi good factor authentication, which is the idea that not all authentication factors are equal. We discuss the importance of considering ...
Root Causes 483: Introducing the PQC Sandbox
07 Apr 2025
Contributed by Lukas
We are joined by repeat guest Bruno Coulliard of Crypto4A to introduce Sectigo's new post quantum cryptography (PQC) sandbox. The PQC sandbox allows ...
Root Causes 482: Microsoft and PQC
02 Apr 2025
Contributed by Lukas
In this episode we explore the potential PQC future for Microsoft Active Directory Certificate Services, aka MSCA. We discuss potential paths for Mic...
Root Causes 481: What Is Protocol Ossification?
31 Mar 2025
Contributed by Lukas
Protocol ossification is the phenomenon whereby ecosystems fail to work correctly with the full range of options included in a protocol. This occurs ...
Root Causes 480: White House PQC Executive Order
24 Mar 2025
Contributed by Lukas
Many people believe that the Trump White House rescinded an important cybersecurity executive order from late days of the Biden administration. We se...
Root Causes 479: AI Adversarial Machine Learning
21 Mar 2025
Contributed by Lukas
In this episode we discuss the thinking on how adversaries can exploit the flaws in AI models to achieve unexpected and dangerous results. We explore...
Root Causes 478: Should We All Switch from RSA to ECC?
17 Mar 2025
Contributed by Lukas
RSA is under attack. Even without the quantum threat, we face the possibility of smart new exploits reducing the viable RSA key space and rendering i...
Root Causes 477: Comparative Security Philosophies
12 Mar 2025
Contributed by Lukas
We discuss how various popular computing platforms approach security and highlight the differences between them.
Root Causes 476: The Need for Security KPIs
10 Mar 2025
Contributed by Lukas
Jason recounts a 2024 Black Hat talk about the need for objective measurements of our IT defenses and whether the good guys or bad guys are winning. J...
Root Causes 475: Can Your AI Scheme Against You?
05 Mar 2025
Contributed by Lukas
It's the stuff of science fiction! Interesting research shows how today's AI technology is capable of lying to and scheming against its human owners i...
Root Causes 474: Explaining Shor's Algorithm
02 Mar 2025
Contributed by Lukas
We talk a lot about Shor's Algorithm in our discussion of post quantum cryptography (PQC). In this episode Jason explains Shor's algorithm for non-qua...
Root Causes 473: Does Security Software Lack Creativity?
28 Feb 2025
Contributed by Lukas
Jason reports on a 2024 Black Hat keynote about how modern software development practices inhibit innovation and invention.
Root Causes 472: AI Offensive Modeling
26 Feb 2025
Contributed by Lukas
AI tools are now available to perform red-teaming activity for DevSecOps. Such tools are soon to be table stakes in the constantly escalating IT secur...
Root Causes 471: ACME for PQC
23 Feb 2025
Contributed by Lukas
In this episode, guest Alexandre Giron explains what is needed to support post quantum cryptography (PQC) with ACME.
Root Causes 470: The MFA False Equivalency Fallacy
19 Feb 2025
Contributed by Lukas
Not all forms of MFA are equally secure. In this episode we describe the differences between the more secure and less secure forms of MFA.
Root Causes 469: The All or Nothing Fallacy in Cybersecurity
17 Feb 2025
Contributed by Lukas
In this episode we explain the all-or-nothing fallacy in cybersecurity and how it's affecting debate in the WebPKI right now.
Root Causes 468: UK Demands New Backdoor from Apple
14 Feb 2025
Contributed by Lukas
A new demand from the UK seeks complete access to all Apple cloud data housed in the UK, regardless of the data owners' citizenship and residency. We ...
Root Causes 467: Decoupling Public from Private Use Cases
12 Feb 2025
Contributed by Lukas
The past year has seen a great deal of focus on the use of public TLS certificates where private root certificates are actually the appropriate soluti...
Root Causes 466: Apple Moves 47-day Ballot to CABF Vote
09 Feb 2025
Contributed by Lukas
Apple is proceeding with a ballot that eventually will shorten SSL certificate maximum term to 47 days. Accompanying the ballot, Apple released a sta...
Root Causes 465: Twelve Bugzilla Sins for CAs to Avoid
07 Feb 2025
Contributed by Lukas
In the wake of the Bugzilla Bloodbath, we list and describe twelve sins CAs commit on Bugzilla and its like, why they're detrimental, and how CAs shou...
Root Causes 464: Defending Against Harvest and Decrypt
05 Feb 2025
Contributed by Lukas
Harvest and decrypt is a well-known attack vector against traditional cryptography prior to PQC. In this episode, we discuss what enterprises should b...
Root Causes 463: Cellular Networks Are Insecure
03 Feb 2025
Contributed by Lukas
In this episode we explain that all cellular networks, contrary to popular belief, are fundamentally insecure.
Root Causes 462: Crypto War 3.0
31 Jan 2025
Contributed by Lukas
In this episode we walk through the evolution of the war on cryptography, from the beginning up through today, terminating in what we call Crypto War ...
Root Causes 461: Sectigo Acquires Entrust Public CA Business
29 Jan 2025
Contributed by Lukas
Sectigo today announced the acquisition of the Entrust public CA business. Entrust will go forward as a Sectigo reseller. Join us to learn the details...
Root Causes 460: The State of PQC with Michele Mosca
28 Jan 2025
Contributed by Lukas
In this episode we are joined by Dr. Michela Mosca. We discuss his pioneering work identifying the need for post-quantum cryptography, where PQC stand...
Root Causes 459: 2024 Lookback - Shortening Certificate Lifespans & DCV
24 Jan 2025
Contributed by Lukas
2024 set in motion major changes for certificate lifespans and DCV. In this episode we discuss the Apple 47-day proposal, stepping down certificate t...
Root Causes 458: Apple Extends Entrust Distrust to SMIME and VMC
19 Jan 2025
Contributed by Lukas
Apple has added itself to the Entrust distrust and has extended this distrust to S/MIME and VMC. We explain.
Root Causes 457: 2024 Lookback - Guests
17 Jan 2025
Contributed by Lukas
We had a remarkable year on the Root Causes podcast in terms of our guests. We look back at the extremely expert guests we were lucky to talk about in...
Root Causes 456: 2024 Lookback - Bugzilla Bloodbath
14 Jan 2025
Contributed by Lukas
In this 2024 lookback episode, we give an overview of the firestorm of Bugzilla incidents that we refer to as the Bugzilla Bloodbath. The Bugzilla Blo...
Root Causes 455: PQC Standardization in IETF
08 Jan 2025
Contributed by Lukas
We talk with guest Sofia Celi of Brave Browser, who leads the IETF PQC standardization effort, about the process of setting standards for PQC-compatib...
Root Causes 454: 2024 Lookback - Post quantum cryptography (PQC)
02 Jan 2025
Contributed by Lukas
2024 was an eventful year for post quantum cryptography (PQC). This includes FIPS standards, the PQC onramp, and the dawn of widespread interest among...
Root Causes 453: It Turns Out Monkeys Couldn't Type Shakespeare After All
02 Jan 2025
Contributed by Lukas
The old adage states that a monkey in front of a keyboard, given enough time, could randomly type the works of Shakespeare. Apparently, someone ran th...
Root Causes 452: 2024 Predictions Scorecard
26 Dec 2024
Contributed by Lukas
We go over our predictions for 2024 and score our ability as prognosticators.
Root Causes 451: A Year in CABF Ballots
26 Dec 2024
Contributed by Lukas
It was a crazy year for CA/Browser Forum activity, with nearly three times the normal number of ballots. Guest Martijn Katerbarg goes over the 32 CAB...
Root Causes 450: 2025 Predictions
23 Dec 2024
Contributed by Lukas
We make our 2025 predictions. Topics include maximum certificate term, AI, post-quantum cryptography (PQC), deep fakes, and more.
Root Causes 449: What Is a Quantum-safe HSM?
18 Dec 2024
Contributed by Lukas
Repeat guest Bruno Coulliard of Crypto4A joins us to define a quantum-safe (or PQC enabled) hardware security module.
Root Causes 448: The Privilege of Being a Public CA
17 Dec 2024
Contributed by Lukas
We go over Tim's September 2024 keynote speech at ENISA CA Day, "The Privilege of Being a Public CA."
Root Causes 447: NIST Deprecates RSA-2048 and ECC 256
13 Dec 2024
Contributed by Lukas
As part of its post-quantum cryptography (PQC) initiative NIST has released a draft deprecating RSA-2048 and ECC 256 by 2030 and disallowing them by 2...
Root Causes 446: Sectigo Assumes Five CABF Offices
12 Dec 2024
Contributed by Lukas
Tim has stepped into the position of vice-chair of the CA/Browse Forum, and Sectigo now holds five chair or vice-chair positions in that body. We exp...
Root Causes 445: Seven Reasons to Shorten Certificate Lifespans
09 Dec 2024
Contributed by Lukas
We take a deep dive into the seven reasons shorter certificate lifespans are better.
Root Causes 444: What Happens to the WebPKI if Google Sells Chrome?
05 Dec 2024
Contributed by Lukas
We discuss how a potential break of Chrome from Google would affect the WebPKI. We look at product changes, resourcing, post-quantum cryptography (PQ...
Root Causes 443: Is MSCA Going Away?
01 Dec 2024
Contributed by Lukas
In this episode we discuss the challenges for enterprises using Microsoft Active Directory Certificate Services (ADCS).
Root Causes 442: Apple Proposal to Reduce SSL Lifespan Updated
25 Nov 2024
Contributed by Lukas
Apple has published an updated draft to its proposal for shortening the lifespan of SSL certificates, including a final maximum term of 47 rather than...
Root Causes 441: New White House Initiative Targets BGP
22 Nov 2024
Contributed by Lukas
A new White House initiative requires that federal agencies need to create plans to thwart BGP attacks. We discuss, including Resource PKI (RPKI) and ...
Root Causes 440: Public Key Directories
18 Nov 2024
Contributed by Lukas
We talk about public key directories and complicating factors such as Tailscale, VPN, TOR, Cloudflare, and Zero Trust.
Root Causes 439: PQC Onramp Narrowed Down to 15 Candidates
15 Nov 2024
Contributed by Lukas
NIST has narrowed its PQC onramp contest to 15 candidates. We go over who remains and the makeup of the remaining candidates.
Root Causes 438: PQC Is an Existential Requirement
12 Nov 2024
Contributed by Lukas
Repeat guest Bruno Couillard argues that cryptography is part of the foundational fabric of our lives and that the transition to PQC is an existential...
Root Causes 437: Don't Blame the Linter
05 Nov 2024
Contributed by Lukas
Linters are essential tools for maintaining quality of certificate issuance. Public open-source linters are available to help CAs assure compliance. A...
Root Causes 436: Formal Proofs
29 Oct 2024
Contributed by Lukas
Formal proofs are critical to cryptography. We discuss how better processes and AI can accelerate formal proofs of cryptographic concepts.
Root Causes 435: The PQC "Q Day" Is Not That Simple
25 Oct 2024
Contributed by Lukas
The PQC community likes to debate when crypto relevant quantum computers will be available, which is sometimes called "Q day." In this episode we expl...
Root Causes 434: Did Researchers Break AES Using Quantum Annealing?
22 Oct 2024
Contributed by Lukas
News reports claim Chinese researchers broke AES with a quantum annealing computer. We clarify the details and talk about the implications of this rep...
Root Causes 433: Will AI Eat All the Electricity?
17 Oct 2024
Contributed by Lukas
We explore the question of whether or not we have enough electricity to fuel AI's expected growth.
Root Causes 432: Apple Floats New Short-lived Certificate Proposal
14 Oct 2024
Contributed by Lukas
Apple recently floated a draft CABF ballot for commentary that steps down maximum term for SSL certificates starting next year and eventually landing ...
Root Causes 431: New Mozilla Proposal to Combat Delayed Revocation
11 Oct 2024
Contributed by Lukas
Deliberate delay of mandatory revocations has plagued the WebPKI in 2024. A new proposed policy from Mozilla stands to eliminate most of this behavior...
Root Causes 430: How Does a TLS Handshake Work?
09 Oct 2024
Contributed by Lukas
In this episode we give a high-level explanation of what happens in a TLS 1.3 handshake and then discuss what will happen when PQC is included.
Root Causes 429: ServiceNow Outage Due to Expired Root Certificate
08 Oct 2024
Contributed by Lukas
A ServiceNow private CA root expired, creating outages across hundreds of enterprises. We explain what appears to have gone on.
Root Causes 428: .MOBI Attack Puts WHOIS-based DCV into Question
04 Oct 2024
Contributed by Lukas
White hat researchers managed to take over WHOIS for the .mobi TLD. Among other things, this discovery foretells the death of WHOIS as a valid email s...
Root Causes 427: Mapping CLM to NIST CSF 2.0
01 Oct 2024
Contributed by Lukas
In this episode we map the contributions of Certificate Lifecycle Management into the new NIST Cybersecurity Framework 2.0.