rmhrisk
@rmhrisk.bsky.social
Dropout. Father. I build things. Security, Cryptography, Engineering, Entrepreneurship.
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @[email protected] and twitter.com/rmhrisk
@peculiarventure
+ x-MSFT + x-GOOG ++. Also on @[email protected] and twitter.com/rmhrisk
This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
6-day and IP Address Certificates are Generally Available
Short-lived and IP address certificates are now generally available from Let’s Encrypt. These certificates are valid for 160 hours, just over six days. In order to get a short-lived certificate subscr...
letsencrypt.org
January 16, 2026 at 4:26 PM
This is what zero-trust looks like at the infrastructure layer. Identity and encryption match the lifetime of the thing being secured.
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
If your certificate strategy still assumes stable names and year-long validity, it is already behind reality.
letsencrypt.org/2026/01/15/6...
Short-lived and IP certificates make it possible to use TLS before a DNS name exists, reduce friction for DNS over HTTPS adoption, secure ephemeral devices and services by default, and shift trust from long-lived credentials to automated renewal.
👇
👇
January 16, 2026 at 4:26 PM
Short-lived and IP certificates make it possible to use TLS before a DNS name exists, reduce friction for DNS over HTTPS adoption, secure ephemeral devices and services by default, and shift trust from long-lived credentials to automated renewal.
👇
👇
TL;DR we've constructed an entire compliance industry around optimizing metrics that have become disconnected from the underlying reality they were supposed to measure.
December 24, 2025 at 9:31 PM
TL;DR we've constructed an entire compliance industry around optimizing metrics that have become disconnected from the underlying reality they were supposed to measure.
In complex systems, oversight that depends on snapshots will fail predictably. Data without continuous interpretation does not produce safety.
December 24, 2025 at 9:31 PM
In complex systems, oversight that depends on snapshots will fail predictably. Data without continuous interpretation does not produce safety.
Regulators oversee continuously changing systems using periodic exams. That mismatch is structural.
SVB wasn’t a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.
SVB wasn’t a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.
December 24, 2025 at 9:31 PM
Regulators oversee continuously changing systems using periodic exams. That mismatch is structural.
SVB wasn’t a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.
SVB wasn’t a surprise. Regulators had leading indicators and documented findings. Risk accumulated while interpretation and enforcement lagged.
The whole premise of a compliance team governing complex systems they barely understand is broken. Compliance in a complex system has to be a continuous team sport, a natural byproduct of the way teams work. Not an annual bolt-on.
December 24, 2025 at 9:08 PM
The whole premise of a compliance team governing complex systems they barely understand is broken. Compliance in a complex system has to be a continuous team sport, a natural byproduct of the way teams work. Not an annual bolt-on.
The same will be true everywhere. Scale and velocity outpace our ability to reason. The audit still passes. The gap just grows faster.
December 24, 2025 at 8:57 PM
The same will be true everywhere. Scale and velocity outpace our ability to reason. The audit still passes. The gap just grows faster.
Now consider that AI is writing 30% of the code at Google and Microsoft. The humans who understood what the system does, and whether it matches what the policy claims, understand less every quarter.
December 24, 2025 at 8:57 PM
Now consider that AI is writing 30% of the code at Google and Microsoft. The humans who understood what the system does, and whether it matches what the policy claims, understand less every quarter.
I wrote up some thoughts on how we got here: unmitigatedrisk.com?p=1116
The Impossible Equation | UNMITIGATED RISK
unmitigatedrisk.com
December 5, 2025 at 4:38 AM
I wrote up some thoughts on how we got here: unmitigatedrisk.com?p=1116
I also use this as a kind of low pass filter. It’s reasonable to expect a security leader to understand the concepts behind the systems they protect. You don’t need to be an expert to grasp the abstract properties; it’s an opportunity to practice humility and curiosity as well.
November 7, 2025 at 6:24 PM
I also use this as a kind of low pass filter. It’s reasonable to expect a security leader to understand the concepts behind the systems they protect. You don’t need to be an expert to grasp the abstract properties; it’s an opportunity to practice humility and curiosity as well.
Some thoughts on that here: unmitigatedrisk.com?p=1109
Beyond Gutenberg: How AI Is Teaching Us to Think About Thinking | UNMITIGATED RISK
unmitigatedrisk.com
October 25, 2025 at 11:10 PM
Some thoughts on that here: unmitigatedrisk.com?p=1109
No a few years ago they switched to their own root store. They do pull in certificates that the user adds but not the platform root store.
September 4, 2025 at 10:35 AM
No a few years ago they switched to their own root store. They do pull in certificates that the user adds but not the platform root store.
Full analysis here → unmitigatedrisk.com?p=1092
Another Sleeping Giant: Microsoft’s Root Program and the 1.1.1.1 Certificate Slip | UNMITIGATED RISK
unmitigatedrisk.com
September 3, 2025 at 10:23 PM
Full analysis here → unmitigatedrisk.com?p=1092