Have you ever needed to make sure your website has an expired or revoked certificate? No, that's not a problem people have. But we do, because CAs have to run test sites with them.
I wrote a post post about this problem, and the tool that we use to host ours:
letsencrypt.org/2026/04/10/t...
people are always talking about a hypothetical technologically advanced alien race ... but I always wonder, if they exist, do they also have to deal with PKI?
The disagreement is just whether “memory safety” is a programming language theory definition or a security one. I think you are wrong to say it’s “embarrassing” for people to choose the other definition, and reasonable people can be on both sides of this fence.
Earlier this year, LWN.net featured an excellent article named "Linux's missing CRL infrastructure", and today
Canonical announced it will be working with me and @jbp.io over the coming weeks to start bridging the PKI infrastructure gap.
discourse.ubuntu.com/t/addressing...
anyone need their horse rotated?
I spent a bit of time poking around the Firefox codebase and filed a bug with the findings: bugzilla.mozilla.org/show_bug.cgi...
Those entries are a combination of both Kamu SM as well as roots which have been locally added to Firefox's trust store
I think it’s a data error, possibly on Mozilla’s part - I found a comment suggesting bins 0 and 1 are reserved, but recently they put Kamu SM into bin 1. Maybe I’ll just exclude those suspicious bins.
Bar chart showing the largest CAs in Firefox's telemetry are Google, Digicert, ISRG, AWS, Entrust, Sectigo, Globalsign, and Godaddy. Other entries are all much smaller.
Firefox's telemetry has data on how many times a CA is used to successfully validate certificates. This is a pretty good measure for how "big" a CA is. The data is hard to view in Mozilla's site, so I've made a script to combine a few data sources and graph it! github.com/mcpherrinm/c...
Customers: We want a faster horse
Henry Ford: Ah. In fact—
Kubernetes: Let me stop you right there. What you really need is 1000 horses that die randomly
Inspired by the classic xeyes program, I made a thing:
ssh teyes.fly.dev
Or go install github.com/mcpherrinm/teyes@latest && teyes
Give your mouse a wiggle over the terminal!
I'll be speaking at the Ontario #Cryptography Day!
ontario-crypto-day.github.io
Where: University of Waterloo Davis Centre (DC) 1301 and 1302
When: Friday, June 6, 2025, from 10am to approx. 4:30pm
I hope anyone in the area interested in cryptography is able to attend!
Unsplash image of the Earth, mostly the nightside with a tracery of city lights on every continent.
OK, this is wild.
In September 2023, geophysicists across the world started monitoring a very odd signal coming from the ground under them.
It was picked up in the Arctic. And Antarctica. It was detected everywhere, every 90 seconds, as regular as a metronome, for *nine days*.
What the HELL?
1/
A lot of Americans don't know this, but the winner of the Canadian election will be required live in a small cottage located in the backyard of the palace where the viceroy to the King of England lives.
The cottage just recently got a new wifi router, which was very exciting for all Canadians.
Array indices start at 0 in C, but start at 32 in F.
Screenshot of the new certificate viewer on iOS, showing the certificate for blogs.webkit.org
Of all the things I didn’t expect to ever happen, iOS Safari actually got a certificate viewer in 18.4! webkit.org/blog/16574/w...
The key line here is:
> ... certificates issued on or after June 15, 2026 MUST include the extendedKeyUsage extension and only assert an extendedKeyUsage purpose of id-kp-serverAuth.
Chrome has published version 1.6 of their root store policy.
Notably, this includes a deadline of June 15, 2026 to get TLS Client Auth out from any intermediates under roots in Chrome's program.
TLS client cert users from public CAs may need to make changes.
www.chromium.org/Home/chromiu...
Screenshot of Firefox 135 showing an Insufficient Certificate Transparency error on https://no-sct.badssl.com
Congratulations to the Firefox team for shipping CT enforcement!
> Starting in Firefox 135, Certificate Transparency is now enforced on all desktop platforms.
groups.google.com/a/mozilla.or...
Canadian MP Charlie Angus: Our beloved Canada is under threat.
The threat comes from the president of the US—a convicted felon and known predator. But the threat is also being driven by the hate algorithms of oligarchs like Elon Musk….
heads up for fans of the "ship is stuck" genre, the Manitoulin is currently stuck in icy Lake Erie just outside Buffalo
www.reddit.com/r/GreatLakes...
Boatify wrapped 2024! Stats, maps, timelapses and silly stuff from my AIS receiver and webcam overlooking the Firth of Forth. (recommend viewing on a grown up computer, works on phones but not optimised for them) vessels.marinesightings.com/review/2024/
I'm speaking at #SREcon in Santa Clara this March! Come learn how Let's Encrypt issues millions of certificates with just a handful of staff and servers! www.usenix.org/conference/s...
I hear that the Ontario Government is directing Metrolinx to start investigating 'the massing link' and if it actually amounts to anything is quite impactful project for Toronto region passenger and freight
I think this comment really made it click for me why this is useful in a way that the docs alone hadn't!
A chart of quantum computing comparing number of qubits to error rate. This is a very visual chart and is better explained in text on my website.
2024 update for my chart on the landscape of quantum computing: sam-jaques.appspot.com/quantum_land...
Not much visible on the chart, but Google's result (the one with the recent press attention) is a pretty big deal
La Côte-Nord a connu des conditions météorologiques extrêmes ces dernières semaines. Environ 75 mm de verglas se sont accumulés sur nos lignes de transport à certains endroits et nous avons dû y dépêcher des équipes rapidement afin de déglacer les lignes.
The train livery for the return of the Ontario Northland Railway "Northlander" train.
Source: news.ontario.ca/en/r...
