TurboLight Solutions

Random Number Digest: April 2025

Tue, 06 May 2025 00:00:00 +0000

Big News

After several months of discussion, the CA/Browser Forum passed ballot SC-81 by a very comfortable margin (all YES or ABSTAIN votes), which is a stark contrast to the ballot for 398-day certificates a few years ago. The ballot establishes a maximum validity period of 47 days for publicly trusted TLS certificates, although almost all CAs will cap the validity period at 46 days to comply with the SHOULD-level requirement to not exceed 46 days (the same applies for the other steps of the validity period reduction in the ballot: 199 days for the 200-day maximum validity period, etc.). Additionally, the ballot reduces the reuse period for domain validations from 398 days to 10 days. With a 8.67x reduction in validity period and a whopping 39.8x reduction in validation lifetime, the message is quite clear: organizations need to automate the validation, issuance, and installation of their publicly trusted TLS certificates within the next few years to prepare.

Random Number Digest: March 2025

Fri, 04 Apr 2025 00:00:00 +0000

Big News

Apple’s ballot that proposes a maximum validity period of 47 days for TLS certificates — among other things — is still in discussion period at the CA/Browser Forum, but the effective dates of several items have been pushed back. It is expected that this ballot will go to voting sometime in April.

X9 launched a forum for the newly created X9 Financial PKI. The X9 Financial PKI is intended to provide an alternative for using the WebPKI for financial applications. The migration in the WebPKI from SHA-1 was challenging for several financial use cases (such as payment terminals), and this PKI will be operated with those use cases in mind instead of prioritizing browser-based TLS as it is in the WebPKI. The Forum will solicit feedback and suggestions from interested parties to help guide the evolution of the PKI.

Random Number Digest: February 2025

Tue, 04 Mar 2025 00:00:00 +0000

What is cryptography but some random numbers mixed with drama? February is the shortest month of the year, but you wouldn’t know it looking at the long list of news and happenings from the month.

Big News

The discussion on reduced certificate validity periods continues on at the CA/Browser Forum. The latest update to draft ballot SC-81 delays the rollout of the maximum certificate validity period of 47 days from 2028 to 2029. Meanwhile, a good, old-fashioned Internet flamewar continues in the comments section of the Github pull request for the ballot.

About

Mon, 01 Jan 0001 00:00:00 +0000

Professional background

I’ve spent over two decades in software engineering, the last decade specialized in PKI, inside commercial CA operations where compliance and reliability are non-negotiable.

What this solves for you: You’re not buying slideware from someone who left the trenches a decade ago. I’ve operated production CA infrastructure under real commercial and audit pressure, so my recommendations account for operational reality, not just the spec on paper.

Standards participation

CA/Browser Forum (CABF)

I’ve proposed and endorsed ballots across four working groups and served as Validation Subcommittee Chair for over 4 years.

Contact

Mon, 01 Jan 0001 00:00:00 +0000

Let’s talk

If you’re operating a CA, building PKI into a product, facing a compliance deadline, or planning for post-quantum migration, reach out and let’s discuss how I can help.

Please provide your contact information below to start the conversation.

Services

Mon, 01 Jan 0001 00:00:00 +0000

Custom PKI software development

I design and implement CAs, validation logic, certificate tooling, and integrations.

The problem this solves: You need PKI components that don’t exist off the shelf, or your existing stack doesn’t fit your operational and compliance constraints. I build production-grade software with full command of both the code and the standards it must satisfy. I eliminate the costly gap between a compliant design and a correct implementation.