@jbp.io and I will be presenting on our upki project to make TLS certificate verification more secure for non-browser Linux apps.

At #rustweek I'll have new stickers celebrating a decade of rustls. First commit was ten years ago tomorrow

If you'd like, you can buy rebrands and listed OEs from us. However, you don't have to! Our cert has one of the broadest list of tested OEs of the industry, and you can just use it with stock Go 1.24+ and GOFIPS140=v1.0.0, courtesy of Geomys. The point was removing this roadblock to Go adoption.

A bit over two years after starting to work on it... Go is officially FIPS 140-3 certified 💥 csrc.nist.gov/projects/cry... I am pretty confident Go is now one of the most—if not the most—seamless and complete FIPS 140-3 compliance solutions... with a single env var, out of the box.

New Blog post: "Multiple things can be true at the same time" - frederikbraun.de/feels-and-ll... Dear reader, I am sure you have read a lot of blog posts about AI in the past weeks or months. This is my post.…

I wrote a blog post for the Alpha Omega Foundation on the work I did to surface RustSec advisories on crates.io: alpha-omega.dev/blog/surfaci...

@filippo.abyssdomain.expert plugs Wycheproof test vectors github.com/C2SP/wychepr... #realworldcrypto

did something very silly, may have some at gophercon this year if you ever sent us a vulnerability report or contributed to Go crypto (or are just nice to me) thanks to @ljamesart.bsky.social who did the great art!

With the @openuk.bsky.social Awards coming up, we’re excited that Rustls — a memory-safe TLS library — is shortlisted in two categories, and Creator Joe Birr-Pixton is also recognized individually. The Rust Foundation is proud to support Rustls through the Rust Innovation Lab 🧡

In August I delivered my traditional Go Cryptography State of the Union talk at @gophercon.com in New York. It goes into everything at the intersection of Go and cryptography from the last year. (Also, bragging t-shirts!) Watch the video or read the transcript of my performance review!

Maintaining #Rustls isn’t just code — it’s choices. Dirkjan shared how OSS maintainers balance safety vs. niche flexibility and why API instability or incompatibility can ripple across the ecosystem. Full story at netstack.fm/#episode-7

We have a little blog post about this rustls.dev/blog/2025-09...

we lived

PowerDNS Recursor 5.3.0 has a nice note in the changelog: > The embedded webserver used to display the status page and process REST API calls has been rewritten in Rust and now supports multiple listen addresses and TLS. The new code is powered by Hyper+Rustls+Ring 🦀 🔒 (h/t Stefan Schmidt)

TIL the B root servers have deployed experimental DoT support for TLS on the recursor -> auth. server leg: b.root-servers.org/research/tls...

TIL that the ITU has an annual "X.509 Day", wheeee www.itu.int/md/T25-TSB-C...

We announced the new native Go FIPS 140-3 mode today! FIPS 140, like it or not, is often a requirement, and I was increasingly sad about large deployments replacing the Go crypto packages with non-memory safe cgo bindings. Go is now one of the easiest and most secure ways to build under FIPS 140.

Today we released rustls 0.23.29 crates.io/crates/rustl... -- highlights are better error reporting for unsupported signature algorithms in certificates, and quite a few performance improvements (via a set of changes that started almost 2 years ago!)

Pretty excited about the release of instant-acme 0.8, with lots of work from @cpu.xkeyscore.club (who joined as a maintainer) on ARI, profiles, integration testing and a much improved API. github.com/djc/instant-...

Nerd-sniped by bagder into looking at how rustls-ffi stacks up against OpenSSL on memory allocations/peak heap usage when plugged in as a curl vTLS backend. Headlines: * with rustls-ffi 0.15.0: 2,176 allocations. peak heap of 394kB. * with openssl 3.4.1: 308,132 allocations (!). peak heap of 2.1MB

You love to see it.

I don't think they post here, but excited to be talking about what the Go Security team does, and why (hopefully) you don't hear much about us, at GopherCon UK in August.

IP address certificate subjects are coming to Let's Encrypt SOON™: community.letsencrypt.org/t/getting-re... The groundwork for this was started ~2020 so it's extremely cool to see it coming to fruition !

Harsh but fair

Wrote some notes on self-hosting an Atuin sync server and getting to it via Tailscale hackd.net/posts/atuin-...

‪*slaps roof of libcrypto* this bad boy can fit so much global mutable state inside it!‬

Had a gig wrap up a little earlier than expected, I should have availability starting July or so. As always: if you need help with Embedded, Rust, or similar things, shoot me a message! If you're a user of postcard, p-rpc, or are interested in the more experimental new ergot: shoot me a message!

I implore folks to apply a better theory of the mind than "they dumb or evil" to experienced Chrome engineers entrusted with the security of 3.5B people. You can still disagree! But if you can't articulate their technical motivations, please pause for a second and consider you might be missing it.

Today I thought I would try the Spotify Linux desktop client instead of the web UI. It's only _slightly_ disconcerting to find after an hour of listening that it's been spewing stack smashing errors 😬

🎉 Go 1.25 Release Candidate 1 is released! 🏃‍♀️ Run it in dev! Run it in prod! File bugs! go.dev/issue/new 📢 Announcement: groups.google.com/g/golang-ann... 📦 Download: go.dev/dl/#go1.25rc1

Here's my talk on Graviola -- youtu.be/n6gA93iSj68

In case you missed it, here’s the second in-depth interview with open source maintainer Stefan Eissing @icing.bsky.social from the first cohort of the Sovereign Tech Fellowship. Stefan has been building connections since the days of dial-up modems. (1/2)

Whenever I get self conscious about naming libraries silly things, I remind myself that Arm (the acorn risc machine) released the ARM (architecture reference manual) for their A/R/M (application/realtime/microcontroller) processors, making the document the Arm A/R/M ARM.

Woodfrogs are great. i) they can survive -6°C temps and having 60% of the water in their bodies freeze ii) they have kvlt face paint I rest my case

This week I've been working on adding Pebble integration tests to Go's /x/crypto/acme package: github.com/cpu/crypto/b... Not as complete yet, but fun to contrast the resulting code with the version I cooked up in Rust in collaboration w/ @djc.ochtman.nl for instant-acme: github.com/djc/instant-...

It's been a minute 🫠

The "L" key on my keyboard has been dropping keystrokes ately and you can probably te from the mess of typos ike this I'm eaving everywhere in my wake

Fiddling with x509-limbo this morning for rustls-webpki (github.com/C2SP/x509-li...). Between Wycheproof, BoGo, BetterTLS and x509-limbo there's no shortage of excellent cryptography/TLS test frameworks these days.

Hello! I'm Daniel/@cpu I <3 open source and split my time between working for @geomys.org on Go cryptography, and hacking on various other bits of applied cryptography (notably github.com/rustls/rustls & friends). I'm new to Bluesky. Let's see how it goes?