I'm jealous, bitcoiners can backup their wallers to seed phrases. It's not really possible to do the same thing with PGP keys.

#cybersecurity #pgp #bitcoin #backups #pki

🎙️ Nouveau podcast sur les Key Ceremonies avec Dominique Derrier et Thomas Veynachter

Saviez-vous que seulement 0,04% de la population connaît ces processus ultra-secrets qui protègent TOUTES vos transactions numériques ? 🔐

15 personnes dans des cages de Faraday, des clés qui valent des milliards, des héros invisibles...

🎧 Web: https://polysecure.ca/posts/episode-0x597.html#32756e1b
🎧 Spotify: https://open.spotify.com/episode/2zcXdViHv1EsDetCsAX2OM?si=9SsT57CiQtuA31YJLydRsw
🎧 YouTube: https://youtu.be/wAmQg7BAGu0

#KeyCeremony #PKI #Cryptographie

I know #Docker is THE hot thing these days, but I swear, sometimes is JUST makes my life much more difficult than it needs to be.

e.g. I have an internal-only service, Zero WAN/Internet access, which will not run without HTTPS/certs as it leans on browser crypto APIs.

Okay, not unusual, but can I deploy certs to a container easily? Fuuckkkkk no. The tool's creator recommends #ACME (#LetsEncrypt or another tool implementing ACME) but again, no-internet.

Well, I have an internal #PKI. Their docs contain a one-liner saying it should use #Caddy / #traefik / #nginx reverse proxy in that situation. Now, I have to stand up, configure, manage, etc. something else just to drop a cert in front of this thing. It's still not natively encrypted.

Took me 10 seconds to whip up a cert from my infra and it's gonna take me longer to build something to actually dish it out.

OpenBAO (Vault open-source fork) Namespaces
https://openbao.org/blog/namespaces-announcement/
#ycombinator #openbao #secrets_management #open_source #linux_foundation #encryption_as_aservice #key_management_system #pki #transit #ssh #secret_vault #database_passwords

El lado del mal - FrodoKEM: Un Key-Encapsulation Mechanism Quantum-Safe (PQC) que recibe su nombre por "El señor de los Anillos" https://elladodelmal.com/2025/05/frodokem-un-key-encapsulation-mechanism.html #PQC #Criptografía #Quantum #LearnWithErrors #Cifrado #PKI #KEM

Il y a des experts en cryptograhie ici ?
Un certificat avec des SANs mais sans Common Name / Subject ; c'est possible ?
https://crt.sh/?id=18519921301
#tls #pki #https

Wir sind auf der Zielgeraden zu unserer Secure #Linux #Administration Conference 2025 in Berlin und die Vorfreude steigt. 🎉 Nutzt die Chance und seid vom 2.-4. Juni 2025 dabei!

Die letzten Programmslots sind gefüllt mit Vorträgen zu #PKI-Architekturen und zu UC Cloud Services sowie mit einem Workshop zu modernen #Shell-Features - insgesamt warten 20 Vorträge und 6 Workshops auf euch.

🎟️ Jetzt anmelden:
https://www.heinlein-support.de/news/last-call-slac-2025

#slac2025 #LinuxKonferenz

The SignServer Team is happy to announce the release of SignServer CE 7.1.1

Featuring NIST approved quantum-safe algorithms ML-DSA and SLH-DSA.

https://github.com/Keyfactor/signserver-ce/releases/tag/v7.1.1

#Keyfactor #SignServer #digitalsignatures #codesigning #pki #postquantum

MT @digicert@x.com
#TLS cert lifetimes are shrinking to 47 days by 2029. The message is clear: #automation isn’t optional anymore. As DigiCert’s Dean Coclin says, “success depends on #cryptoagility + treating #DigitalTrust as a strategy, not a set-it-and-forget-it task.” 🔐
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days #pki #news #x509

New Open-Source Tool Spotlight 🚨🚨🚨

Active Directory Certificate Services (AD CS) can be a goldmine if misconfigured. Tools like Certipy simplify enumeration and abuse, leveraging techniques like Shadow Credentials, Golden Certificates, and domain escalation paths (ESC1-ESC11). #CyberSecurity #RedTeam

Certipy's `shadow` command exemplifies ADCS weaknesses. By manipulating `msDS-KeyCredentialLink`, you can take over accounts via PKINIT. It's seamless but devastating for privilege escalation. #Pentesting #ActiveDirectory

Golden Certificates mimic Golden Tickets but target ADCS. Using a compromised CA private key, an attacker can forge certs for domain controllers or users. Certipy automates this process—caution with CA backups. #InfoSec #PKI

🔗 Project link on #GitHub 👉 https://github.com/ly4k/Certipy

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

So it's official: TLS certificate lifetimes will reduce from the current max of 398 days to:
* 200 days in March 2026
* 100 days in March 2027
* 47 days in March 2029

For web servers/proxies etc. it's reasonably simple, at least for smaller orgs but for e.g. network kit it might be more of a challenge. Having a timeframe to aim at definitely focusses the mind!

Via @riskybiz / https://risky.biz/risky-bulletin-ca-b-forum-approves-47-day-tls-certs/

#TLS #PKI #InfoSec #WebDev

Specific schedule:

March 15, 2026 - Cert validity (and Domain Control Validation) limited to 200 days.
March 15, 2027 - Cert validity (and Domain Control Validation) limited to 100 days.
March 15, 2029 - Cert validity limited to 47 days and Domain Control Validation limited to 10 days.

There's gonna be a lot of complaints about this in change control meetings over the next year200 days.

#Certificate #Certificate_Management #CABForum #PKI #WebPKI #SSL #TLS

Buckle up, kids. Automate your certificate rotations or die trying. WebPKI certificate validity period will be 47 days by 2029. https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/

#Certificate #Certificate_Management #CABForum #PKI #WebPKI #SSL #TLS

The CA/Browser Forum voted to reduce the maximum lifespan of new SSL/TLS #certificates to 47 days by March 15, 2029, down from 398 days. This aims to limit the abuse of compromised certificates☝️👩‍💻 #PKI

https://go.theregister.com/feed/www.theregister.com/2025/04/14/ssl_tls_certificates/

rpki-client 9.5 released https://www.undeadly.org/cgi?action=article;sid=20250412123402 #openbsd #rpkiclient #rpki #bgp #pki #crypto #cryptography #security #routing #bgp #networking #freesoftware #libresoftware

Imagine: a journalist’s investigation collapses after certificate compromise.
A hypothetical? Yes.
A real risk? Absolutely.
This is why public trust infrastructure matters.
https://www.linuxfoundation.org/blog/the-view-from-here

#Security #PKI #DigitalTrust

Just spent some quality time figuring out why HTTPS requests with incorrect system time would fail - even though the time was between the certificate NotBefore and NotAfter.

OCSP stapling was the culprit. This adds a more strict "window of system time validity" due to the way the protocol works. The obvious reason for the smallish window is to allow caching, while reducing the replay attack possibilities. Thus, the system clock can't be backdated more than a few hours, regardless of certificate NotBefore. The system time can be more off towards the future.

In our use case, we don't need to worry about revocation and hence we will just kill OCSP use. With this, we will still have the limits set by the certificate NotBefore and NotAfter, but at least they're more predictable and somewhat laxer.

#pki #publickeyinfrastructure #tls

@Xeniax Totally nerdsniped :D I'd love to be a part of the study.

I don't think that #KeyServers are dead. I think they evolved into Verifying Key Servers (VKS), like the one run by a few folks from the OpenPGP ecosystem at https://keys.openpgp.org/about . More generally, I believe that #PGP / #GPG / #OpenPGP retains important use-cases where accountability is prioritized, as contrasted with ecosystems (like #Matrix, #SignalMessenger) where deniability (and Perfect Forward Secrecy generally) is prioritized. Further, PGP can still serve to bootstrap those other ecosystems by way of signature notations (see the #KeyOxide project).

Ultimately, the needs of asynchronous and synchronous cryptographic systems are, at certain design points, mutually exclusive (in my amateur estimation, anyway). I don't think that implies that email encryption is somehow a dead-end or pointless. Email merely, by virtue of being an asynchronous protocol, cannot meaningfully offer PFS (or can it? Some smart people over at crypto.stackexchange.com seem to think there might be papers floating around that can get at it: https://crypto.stackexchange.com/questions/9268/is-asynchronous-perfect-forward-secrecy-possible).

To me, the killer feature of PGP is actually not encryption per se. It's certification, signatures, and authentication/authorization. I'm more concerned with "so-and-so definitely said/attested to this" than "i need to keep what so-and-so said strictly private/confidential forever and ever." What smaller countries like Croatia have done with #PKI leaves me green with envy.

Heutiger Aha-Moment: #PGP-Key-Verteilung über die eigene #Webseite, komplett ohne zentralisierte #Keyserver o.ä. - sehr schön! Gleich eingerichtet. ✅
Macht Ihr auch mit?

https://blog.mister-muffin.de/2025/03/31/til-openpgp-web-key-directory/

#GnuPG #GPG #PKI

This is what innovation can do!

#AirGapped #Offline #PKI #PrivateKeys #TwoFactor- #2FA #Yubico #Yubikey

======

Vincent Bernat Turns Three YubiKeys and a Cheap Single-Board Computer Into a Secure Offline PKI
https://www.hackster.io/news/vincent-bernat-turns-three-yubikeys-and-a-cheap-single-board-computer-into-a-secure-offline-pki-1735b4ad7fc2

---
Developer Vincent Bernat demonstrates how to turn three Yubico YubiKey USB two-factor authentication dongles into an offline public key infrastructure (PKI) using a low-cost single-board computer as an air-gapped host.