On a mission to solve communications security issues for the whole Internet. That, and drink coffee. Zola 2026-03-24T00:00:00+00:00 https://insufficient.coffee/atom.xml 2025-12-03T00:00:00+00:00 2025-12-03T00:00:00+00:00 Unknown https://insufficient.coffee/2025/12/03/reflecting-on-lets-encrypt/

<p>My friend Christophe Brocas has just <a rel="external" href="https://blog.brocas.org/2025/12/01/ACME-a-brief-history-of-one-of-the-protocols-which-has-changed-the-Internet-Security/">published a retrospective on the ten years since we unveiled the ACME protocol to the world</a>. He interviewed me and some colleagues for the piece, and I recommend it!

2025-11-06T00:00:00+00:00 2025-11-06T00:00:00+00:00 Unknown https://insufficient.coffee/2025/11/06/oscw-2026/

<p>After taking a year off from organizing OSCW 2025, I'm back for <a rel="external" href="https://opensourcecryptowork.shop/2026/">next year's event in Taipei</a>.

2024-03-14T00:00:00+00:00 2024-03-14T00:00:00+00:00 Unknown https://insufficient.coffee/2024/03/14/rwc-and-oscw-2024/

<p>I'll be attending the <a rel="external" href="https://rwc.iacr.org/2024/">Real World Crypto Symposium in Toronto</a> in two weeks time, and after that, I'm once again co-organizing the <a rel="external" href="https://opensourcecryptowork.shop/2024/">Open Source Cryptography Workshop</a>.

2023-03-30T00:00:00+00:00 2023-03-30T00:00:00+00:00 Unknown https://insufficient.coffee/2023/03/30/opensource-crypto-workshop-rustls-ffi/

<p>As I mentioned in my post about attending <a href="/2023/03/21/rwc-and-opensource-crypto-workshop-2023/">Real World Crypto 2023 and the Open Source Cryptography Workshop</a>, I've given a talk discussing <a rel="external" href="https://github.com/rustls/rustls-ffi/">Rustls-FFI</a> and the work to allow <code>curl</code> and <code>libcurl</code> to use the Rust-based, memory-safe <a rel="external" href="https://github.com/rustls/rustls">Rustls TLS library</a> in a talk called <em>Make It Memory Safe: Adapting Curl to use Rustls</em>.

2023-03-25T00:00:00+00:00 2023-03-25T00:00:00+00:00 Unknown https://insufficient.coffee/2023/03/25/nevermind-about-rwc-and-oscw/

<p>At this point I'm supposed to be in Tokyo, attending the <a rel="external" href="https://rwc.iacr.org/2023/">Real World Crypto Symposium in Tokyo</a> next week, and after that, I'm co-organizing and <a href="/speaking-engagements/">speaking at</a> the <a rel="external" href="https://opensourcecryptowork.shop/2023/">Open Source Cryptography Workshop</a>. But I've gotten COVID-19 again, instead.

2023-03-21T00:00:00+00:00 2023-03-21T00:00:00+00:00 Unknown https://insufficient.coffee/2023/03/21/rwc-and-opensource-crypto-workshop-2023/

<p>I'll be attending the <a rel="external" href="https://rwc.iacr.org/2023/">Real World Crypto Symposium in Tokyo</a> next week, and after that, I'm co-organizing and <a href="/speaking-engagements/">speaking at</a> the <a rel="external" href="https://opensourcecryptowork.shop/2023/">Open Source Cryptography Workshop</a>.

2021-08-06T00:00:00+00:00 2021-08-06T00:00:00+00:00 Unknown https://insufficient.coffee/2021/08/06/moving-blood/

<p>I'd never thought about the logistics of moving donated blood around. The actual donation part is known to be a universally good thing to do, but I'd never searched out what happens next until I heard a fellow pilot talk about volunteering to move platelets around Arizona.&hellip; </p>

2020-12-01T00:00:00+00:00 2020-12-01T00:00:00+00:00 Unknown https://insufficient.coffee/2020/12/01/crlite-part-4-infrastructure-design/

<p>Firefox is the only major browser that still evaluates every website it connects to whether the certificate used has been reported as revoked. Firefox users are notified of all connections involving untrustworthy certificates, regardless the popularity of the site. Inconveniently, checking certificate status sometimes slows down the connection to websites. Worse, the check reveals cleartext information about the website you’re visiting to network observers.&hellip; </p>

2020-11-27T00:00:00+00:00 2020-11-27T00:00:00+00:00 Unknown https://insufficient.coffee/2020/11/27/auditing-crls-of-crlite/

<p>Since Firefox Nightly is now using <a href="/tag/crlite">CRLite</a> to determine if enrolled websites' certificates are revoked, it's useful to dig into the data to answer why a given certificate issuer gets enrolled or not.&hellip; </p>

2020-11-26T00:00:00+00:00 2020-11-26T00:00:00+00:00 Unknown https://insufficient.coffee/2020/11/26/querying-crlite/

<p>Firefox Nightly is now using <a href="/tag/crlite">CRLite</a> to determine if websites' certificates are revoked — e.g., if the Certificate Authority published that web browsers shouldn't trust that website certificate. Telemetry shows that querying the local CRLite dataset is much faster than making a network connection for <a rel="external" href="https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol">OCSP</a>, which makes intuitive sense. It also avoids sending the website's certificate information in cleartext over the network to check the revocation status: solving one of the remaining cleartext browsing data leakages in Firefox.

2020-11-01T00:00:00+00:00 2020-11-01T00:00:00+00:00 Unknown https://insufficient.coffee/2020/11/01/austin-or-bust/

<p>Due to a variety of factors, Mozilla changed venues for our 2017 winter all-hands meeting to Austin, Texas, and Austin being a city with relatively poor commercial airline connectivity, ticket prices were fairly high even for me to fly there from Phoenix.&hellip; </p>

2020-10-05T00:00:00+00:00 2020-10-05T00:00:00+00:00 Unknown https://insufficient.coffee/2020/10/05/berlin-by-air/

<p>I have had business dealings requiring me to visit Berlin regularly for the last 5 years, and in 2018 I finally made the trip outside of the city to <a href="https://acukwik.com/Airport-Info/EDAY">Strausberg Airport</a> to rent a Cessna 172SP Skyhawk.&hellip; </p>

2020-09-30T00:00:00+00:00 2020-09-30T00:00:00+00:00 Unknown https://insufficient.coffee/2020/09/30/returning-home/

<p>While I lived in a lot of different places as a child, I came of age along the Florida panhandle, and for that reason it'll always hold a special place in my heart.&hellip; </p>

2020-09-29T00:00:00+00:00 2020-09-29T00:00:00+00:00 Unknown https://insufficient.coffee/2020/09/29/boiling-the-ocean/

<p>I've had a lot more opportunity to travel since I joined <a href="/tag/mozilla">Mozilla</a>, and it eventually occurred to me: I could rent aircraft in some of these places I was visiting, and see those places in a different way.&hellip; </p>

2020-06-25T00:00:00+00:00 2020-06-25T00:00:00+00:00 Unknown https://insufficient.coffee/2020/06/25/blog_upgrades/

<p>I've been running this blog on an LTS version of Ubuntu that has recently halted Long Term Support, so while migrating data I'm also reworking parts of this blog, including a long-anticipated move from <a href="https://insufficient.coffee/2020/06/25/blog_upgrades/tacticalsecret.com">tacticalsecret.com</a> (what a ... term) to the timeless domain <a href="https://insufficient.coffee/2020/06/25/blog_upgrades/insufficient.coffee">insufficient.coffee</a>.&hellip; </p>

2020-01-21T00:00:00+00:00 2020-01-21T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/21/crlite-part-3-speeding-up-secure-browsing/

<p>CRLite pushes bulk certificate revocation information to Firefox users, reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring, and does so for the whole Web, not just special parts of it.&hellip; </p>

2020-01-09T00:00:00+00:00 2020-01-09T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/

<p><a rel="external" href="https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf">CRLite</a> is a technology proposed by a group of researchers at the <a rel="external" href="https://www.ieee-security.org/TC/SP2017/">IEEE Symposium on Security and Privacy 2017</a> that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte.

2020-01-09T00:00:00+00:00 2020-01-09T00:00:00+00:00 Unknown https://insufficient.coffee/2020/01/09/crlite-part-2-end-to-end-design/

<p>CRLite is a technology to efficiently compress revocation information for the whole Web PKI into a format easily delivered to Web users. It addresses the performance and privacy pitfalls of the Online Certificate Status Protocol (OCSP) while avoiding a need for some administrative decisions on the relative value of one revocation versus another.&hellip; </p>

2019-08-05T00:00:00+00:00 2019-08-05T00:00:00+00:00 Unknown https://insufficient.coffee/2019/08/05/web-authentication-in-firefox-for-android/

<p><a rel="external" href="https://www.mozilla.org/en-US/firefox/android/all/">Firefox for Android (Fennec)</a> now supports the <a rel="external" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication API</a> as of <a rel="external" href="https://www.mozilla.org/en-US/firefox/android/68.0/releasenotes/">version 68</a>.

2018-12-04T00:00:00+00:00 2018-12-04T00:00:00+00:00 Unknown https://insufficient.coffee/2018/12/04/making-https-revocations-work-crlite/

<p>I gave a lightning talk at our Mozilla All-Hands meeting about <a rel="external" href="https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf">CRLite</a>, a new technology for delivering revocations for the Web PKI to all clients in a very compressed form.

2018-01-11T00:00:00+00:00 2018-01-11T00:00:00+00:00 Unknown https://insufficient.coffee/trying-out-web-authentication-webauthn/

<p><a rel="external" href="https://w3c.github.io/webauthn/">Web Authentication</a> is now <a rel="external" href="https://twitter.com/FirefoxNightly/status/951428981907165186">enabled in Firefox Nightly</a>, with <a rel="external" href="https://groups.google.com/forum/#!msg/mozilla.dev.platform/tsevyqfBHLE/lccldWNNBwAJ">intent to ship in version 60</a>.

2017-12-04T00:00:00+00:00 2017-12-04T00:00:00+00:00 Unknown https://insufficient.coffee/2017/12/04/countering-phishing-with-cryptography/

<p>At Mozilla's Austin All-Hands I gave a lightning talk about <a rel="external" href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API">Web Authentication</a>, which is our best technical solution to the scourge of phishing today.

2017-08-18T00:00:00+00:00 2017-08-18T00:00:00+00:00 Unknown https://insufficient.coffee/the-state-of-crls/

<p>Certificate Revocation Lists (CRLs) are a way for Certificate Authorities to announce to their relying parties (e.g., users validating the certificates) that a Certificate they issued should no longer be trusted. E.g., was revoked.&hellip; </p>

2017-07-10T00:00:00+00:00 2017-07-10T00:00:00+00:00 Unknown https://insufficient.coffee/cutting-over-lets-encrypts-statistics-to-map-reduce/

<p>We're <a rel="external" href="https://tacticalsecret.com/analyzing-letsencrypt-stats-via-map-reduce/">changing the methodology</a> used to calculate the <a rel="external" href="https://letsencrypt.org/stats/">Let's Encrypt Statistics page</a>, primarily to better cope with the growth of Let's Encrypt. Over the past several months it's become clear that the existing methodology is less accurate than we had expected, over-counting the number of websites using Let's Encrypt, and the number of active certificates. The new methodology is more easily spot-checked, and thus, we believe, is more accurate.

2017-05-16T00:00:00+00:00 2017-05-16T00:00:00+00:00 Unknown https://insufficient.coffee/analyzing-letsencrypt-stats-via-map-reduce/

<p>I've been supplying the statistics for Let's Encrypt since they've launched. In Q4 of 2016 their volume of certificates exceeded the ability of my database server to cope, and I moved it to an Amazon RDS instance.&hellip; </p>

2017-02-23T00:00:00+00:00 2017-02-23T00:00:00+00:00 Unknown https://insufficient.coffee/2017/02/23/the-end-of-sha-1-on-the-public-web/

<p>Our deprecation plan for the SHA-1 algorithm in the public Web, <a rel="external" href="https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/">first announced in 2015</a>, is drawing to a close. Today a team of researchers from CWI Amsterdam and Google revealed the <a rel="external" href="https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html">first practical collision for SHA-1</a>, affirming the insecurity of the algorithm and reinforcing our judgment that it must be retired from security use on the Web.

2016-12-19T00:00:00+00:00 2016-12-19T00:00:00+00:00 Unknown https://insufficient.coffee/demoing-lets-encrypt-at-the-phoenix-devops-meetup-in-february/

<p>The Phoenix DevOps Meetup has asked me to do a <a rel="external" href="https://www.meetup.com/Phoenix-DevOps-Meetup/events/236338847/">walk-through of how to encrypt a website using Let's Encrypt for their February meetup</a>. I don't believe this talk will be recorded, but for any locals who want to discuss PKI, I'll be available after.

2016-11-10T00:00:00+00:00 2016-11-10T00:00:00+00:00 Unknown https://insufficient.coffee/a-big-tent-in-america/

<p>The electoral college has legitimized an agenda that seeks to tell many of my friends and colleagues that they are not welcome in America. That they are only to be tolerated in the shadows. That denigrating them is acceptable national discourse, and will be rewarded with prestige.&hellip; </p>

2016-09-30T00:00:00+00:00 2016-09-30T00:00:00+00:00 Unknown https://insufficient.coffee/lets-encrypts-growth-to-10m-fqdns/

<p>Yesterday Let's Encrypt reached a new milestone: the unique set of all fully-qualified domain names in the currently-unexpired certificates issued by Let's Encrypt is now <strong>10,022,446</strong>.&hellip; </p>

2016-09-08T00:00:00+00:00 2016-09-08T00:00:00+00:00 Unknown https://insufficient.coffee/long-instrument-cross-country-training-flight/

<p>I'm training to be able to fly in clouds and other poor visibility situations. Part of the requirements for this "Instrument Rating" is to fly cross-country, on instrument rules, and do instrument landings at three airports, a task I undertook last Friday&hellip; </p>

2016-08-11T00:00:00+00:00 2016-08-11T00:00:00+00:00 Unknown https://insufficient.coffee/utility-of-an-instrument-rating/

<p>I am training right now for my <a rel="external" href="https://en.m.wikipedia.org/wiki/Instrument_rating">instrument rating add-on</a> to my private pilot certificate. For years I said that there was little point to me having this rating, because in Arizona, when there <em>is</em> weather, you don't want to fly in it.

2016-07-05T00:00:00+00:00 2016-07-05T00:00:00+00:00 Unknown https://insufficient.coffee/rmll2016/

<p>Today at the <a rel="external" href="https://sec2016.rmll.info/program/">RMLL conference's security track</a> I'm talking about some of the challenges, decisions, and trade-offs that occurred while launching Let's Encrypt, in a talk I've called <a rel="external" href="https://sec2016.rmll.info/program/#letsencrypt">Let’s Encrypt: The Road To Encrypting All The Things</a>.

2016-04-05T00:00:00+00:00 2016-04-05T00:00:00+00:00 Unknown https://insufficient.coffee/124-days-of-lets-encrypt/

<p>This is a quick status update from the <a href="/early-impacts-of-letsencrypt/">Early Impacts of Let's Encrypt</a> post.&hellip; </p>

2016-02-19T00:00:00+00:00 2016-02-19T00:00:00+00:00 Unknown https://insufficient.coffee/early-impacts-of-letsencrypt/

<p>During the months I worked in Let's Encrypt's operations team I got fairly used to being the go-to man for any question that a database query could solve.&hellip; </p>

2016-01-21T00:00:00+00:00 2016-01-21T00:00:00+00:00 Unknown https://insufficient.coffee/issuance-rate-for-lets-encrypt/

<p>Gathering data from <a rel="external" href="https://github.com/jcjones/letsencrypt_statistics">Certificate Transparency logs</a>, here's a snapshot in time of Let's Encrypt's certificate issuance rate per minute from 15-21 January 2016

2016-01-19T00:00:00+00:00 2016-01-19T00:00:00+00:00 Unknown https://insufficient.coffee/content-security-policy-enabled/

<p>I spent some time over the last week working up a safe <a rel="external" href="https://developer.mozilla.org/en-US/docs/Web/Security/CSP">Content Security Policy</a> for this website

2016-01-15T00:00:00+00:00 2016-01-15T00:00:00+00:00 Unknown https://insufficient.coffee/renewing-lets-encrypt-certs-nginx/

<p>All the first <a rel="external" href="https://crt.sh/?id=10172479">Let's Encrypt certs for my websites</a> from the LE private beta began expiring last week, so it was time to work through the renewal tooling

2015-10-20T00:00:00+00:00 2015-10-20T00:00:00+00:00 Unknown https://insufficient.coffee/lets-encrypt-publicly-trusted/

<p>A bigger blog post will have to wait, but just as a brief note:</p> <p>Let's Encrypt is <a rel="external" href="https://letsencrypt.org/2015/10/19/lets-encrypt-is-trusted.html">now publicly trusted</a>. In fact, this blog is using a certificate from Let's Encrypt. And so is <a rel="external" href="https://usr.bin.coffee/">usr.bin.coffee</a>, of course.

2015-10-08T00:00:00+00:00 2015-10-08T00:00:00+00:00 Unknown https://insufficient.coffee/beta-testing-lets-encrypt/

<p>One of the advantages to being part of the Let's Encrypt team is early access to the closed beta. As such, I've been able to issue a handful of certificates from the service. For example: <a rel="external" href="https://usr.bin.coffee/">usr.bin.coffee</a>. There's a lot of other upsides as well, such as working with incredible people to make something super-high visibility for the public good.

2015-04-10T00:00:00+00:00 2015-04-10T00:00:00+00:00 Unknown https://insufficient.coffee/gatorlug-letsencrypt/

<p><a rel="external" href="http://www.gatorlug.org/">GatorLUG</a> has invited me to talk about <a rel="external" href="https://letsencrypt.org/">Let's Encrypt</a> at their April 2015 meeting. I'm honored to be playing a role in the architecture and implementation of Let's Encrypt; <a href="/content/2015/Apr/Gator%20LUG%2020150415%20Lets%20Encrypt.pdf">here are the slides I'll be presenting</a>.

2014-11-20T00:00:00+00:00 2014-11-20T00:00:00+00:00 Unknown https://insufficient.coffee/updated-jsonresume/

<p>I've posted a new version of my <a rel="external" href="https://www.npmjs.org/package/jsonresume-theme-bootstrap-icons">Bootstrap Icons</a> theme for <a rel="external" href="http://jsonresume.org">JsonResume</a>

2014-11-18T00:00:00+00:00 2014-11-18T00:00:00+00:00 Unknown https://insufficient.coffee/net-neutrality/

<p>Last night I received this political cartoon in my email:&hellip; </p>

2014-09-09T00:00:00+00:00 2014-09-09T00:00:00+00:00 Unknown https://insufficient.coffee/simplifying-pki-iot/

<p>Because many of the devices in the IoT are headless and have limited ability to interact with their owners, there needs to be a way to authenticate them without passwords, and without the shortcomings of the existing <a rel="external" href="http://en.wikipedia.org/wiki/Bluetooth#Pairing_mechanisms">0000 and 1234 problems</a> in the Bluetooth world.

2014-08-12T00:00:00+00:00 2014-08-12T00:00:00+00:00 Unknown https://insufficient.coffee/jsonresume/

<p>There's a quirky little project on the Internet proving once again that semi-structured data is just plain fun: <a rel="external" href="http://jsonresume.org/">JSONResume.org</a>.</p>

2014-08-06T00:00:00+00:00 2014-08-06T00:00:00+00:00 Unknown https://insufficient.coffee/garden-imp/

<p>Using an <a rel="external" href="http://electricimp.com/">Electric Imp</a> and two <a rel="external" href="http://vegetronix.com/Products/VH400/">Vegetronix VH400 soil moisture sensors</a>, I am now able to monitor the <a rel="external" href="http://en.wikipedia.org/wiki/Water_content">water content</a> of two locations in my garden.</p>

2014-08-06T00:00:00+00:00 2014-08-06T00:00:00+00:00 Unknown https://insufficient.coffee/pan-parts-iot/

<p>Where the Internet of Things meets locations in the physical world, I envision scores of devices networking together to make life more efficient&hellip; </p>

2014-07-30T00:00:00+00:00 2014-07-30T00:00:00+00:00 Unknown https://insufficient.coffee/public-authentication/

<p>The public authentication problem is one we have all learned to solve with intuition: <em>How do I decide to trust a new person?</em>&hellip; </p>

2014-07-04T00:00:00+00:00 2014-07-04T00:00:00+00:00 Unknown https://insufficient.coffee/well-known-peers-iot/

<p>The Internet of Things is imagined to be a interconnection of sensors and physical devices of all kinds into the world’s information systems: a collection of machine-to-machine communication devices used to gather and distribute information about the world, contrasted with the human-machine interactions making up the bulk of today’s Internet. The machine-to-machine model places new restrictions on the common practices for security, as the standard practice of user authentication becomes troublesome without the regular involvement of a user.</p>