If that's your kind of thing, check it out. Everything runs client-side, no data leaves your browser.
peculiarventures.github.io/cardforensics/

One of the developers at Peculiar Ventures needed to debug some smart card APDU traces recently. I have enough trauma from the 90s and 2000s that I felt compelled to build an AI-annotated APDU trace analyzer.

He was right. And we're doing it again.

unmitigatedrisk.com?p=1227

Then he spent decades in our garage with a green chalkboard and his slide rule, trying to make sure I understood concepts like orbital decay, thrust, specific impulse, the rocket equation, and more, because he was convinced we were forgetting how to go to the moon.

My father learned rocket chemistry on a subsistence farm using stump remover and sugar. No kits. No experts. Just trial, error, and the stubborn belief that if it's broken, you fix it with what you have.

He went on to have his name engraved on hardware that flew in orbit.

Found issue. Should be fixed in the AM. Thanks.

I’ll double check the numbers, right now it’s enumerating all CCADB json populated CRLs. Could be a bug though.

The first version of the revocation analysis is now live on the site FWIW

I have announced it on LinkedIn, Twitter, X, BlueSky, and noted it in my CA/Browser Forum presentation last week, but I do intend to announce on mdsp and the other public lists, but wanted to finish a few things, like that auditor page (now live) and the CRL checking (mostly done), before I do.

WebPKI Observatory — Certificate Authority Trust Ecosystem Analysis Quantitative analysis of 96 trusted CAs: market share, concentration risk, compliance incidents, distrust history, and root program governance. Updated daily.

The WebPKI is something we all rely on every day, and most people do not even know it exists. What is interesting is that even those who do often do not understand it as well as they think they do.

To help more people understand how it works, I put together the WebPKI Observatory.

TL;DR - It is a signed QR code with auditable issuance, compact proof material, offline tolerance, and a path to third-party witnessing.

And of course, moving the signature outside the QR code itself means verifiers can retrieve it out of band, which allows for more data than you could fit directly in the code, even if still not as much as with classical cryptography.

The goal is that, with my favorite data structure, Merkle trees, and some thoughtful design, this could plug into the transparency.dev witness model: blog.transparency.dev/can-i-get-a-...

That would enable a network of 3rd parties to monitor the trees to help defend against split-view attacks.

Been thinking about PQC signatures in QR codes and started playing with what an MTC-like approach might look like.

Demo URL:
mta-qr.peculiarventures.com

Repo URL:
github.com/PeculiarVent...

Includes Go and TypeScript implementations. Still just an experiment.

Context:
unmitigatedrisk.com?p=933

A recent incident in the Mozilla CA Program put this on public display and three root programs pushed back. The pattern isn't unique to PKI. It's just uniquely visible there.

unmitigatedrisk.com?p=1123

"Within 24 hours" becomes "promptly." Profiles become "per industry standards." Each edit is defensible. Taken together, they produce documents that can't be meaningfully audited.

⬇️

There's a pattern that plays out across every regulated industry. Requirements increase. Complexity compounds. And instead of building capacity to meet the rising bar, organizations quietly lower the specificity of their commitments.

⬇️

Today, Project Zero released a 0-click exploit chain for the Pixel 9. While it targets the Pixel, the 0-click bug and exploit techniques we used apply to most other Android devices.

projectzero.google/2026/01/pixe...

6-day and IP Address Certificates are Generally Available Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscr...

This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.

If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.

letsencrypt.org/2026/01/15/6...

Short-lived and IP certificates make it possible to use TLS before a DNS name exists, reduce friction for DNS over HTTPS adoption, secure ephemeral devices and services by default, and shift trust from long-lived credentials to automated renewal.

👇

Short-lived and IP address certificates are now generally available from Let’s Encrypt.

Modern infrastructure no longer has stable hostnames, static IPs, or long-lived trust anchors. Workloads spin up before DNS exists, live briefly, and disappear. Trust has to keep up.

👇

TL;DR we've constructed an entire compliance industry around optimizing metrics that have become disconnected from the underlying reality they were supposed to measure.

In complex systems, oversight that depends on snapshots will fail predictably. Data without continuous interpretation does not produce safety.

Regulators oversee continuously changing systems using periodic exams. That mismatch is structural.

SVB wasn’t a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.

The whole premise of a compliance team governing complex systems they barely understand is broken. Compliance in a complex system has to be a continuous team sport, a natural byproduct of the way teams work. Not an annual bolt-on.

The same will be true everywhere. Scale and velocity outpace our ability to reason. The audit still passes. The gap just grows faster.

Now consider that AI is writing 30% of the code at Google and Microsoft. The humans who understood what the system does, and whether it matches what the policy claims, understand less every quarter.

Enron passed their audits. Wirecard passed their audits. Every distrusted CA passed their audits. Auditors are paid to confirm compliance, not to find problems. When the measure becomes the target - and the measurer is incentivized to pass you - it stops measuring anything.

GitHub - FiloSottile/age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability. - FiloSottile/age

Really big age release coming tomorrow! 🎅🏻

- native post-quantum keys
- built-in recipients for hw plugins
- age-inspect tool
- plugin framework
- batchpass plugin
- many improved error messages

PLCs on the internet -> MCP servers on the internet.
Evolution happened. Learning didn’t.
We’re rebuilding ICS - this time with agency!