What the Brno F2F means for Small Businesses — and an invitation
Hi all — Anton here. I organised the OpenSSL F2F in Brno this May, and I'm bringing the update to this community personally: the Small Business seats on both advisory committees are currently vacant, so there was nobody to carry it to you. More on that at the end, because it's fixable — and easily. The short version: less effort to adopt, FIPS only if you need it, post-quantum without drama — and two empty seats with your community's name on them.

The welcome committee, Brno-style. The real agenda was less cuddly.
First, the substance. The full F2F write-up is running in two committee spaces, and they're worth visiting separately: the BAC thread is where the business and governance discussion is unfolding — compliance, roadmap priorities, sustainability — while the TAC thread carries the technical conversation, with links to the standards drafts and specifications behind it all. Different rooms, different follow-ups; both readable by anyone. Below is the part that matters if you run a small operation, framed the way I'd want it framed if I were in your seat: what it costs you, what it saves you, and what you can safely ignore.
Less effort to adopt and trust. Official Windows binaries are coming — MSI and plain executable installers, with a lightweight option if you only need the command-line tools — so reliance on third-party builds can end. Releases are now signed on hardware security modules under a published process; the signing certificate, its fingerprint, and how to verify a download are all documented on the official downloads page, so checking what you fetched takes minutes, not expertise.
FIPS only if you need it. The FIPS module ships in the build but stays off until you switch it on in config. No burden if you don't need it; a much simpler path if you do. And if customers send you SOC 2 / ISO / SLA questionnaires that don't fit open source, a compliance one-pager is being prepared that you'll be able to hand over as a ready answer.
Post-quantum without drama. Post-quantum signatures (ML-DSA, (FIPS 204)) are on by default, post-quantum key exchange (ML-KEM, FIPS 203)) is opt-in, and for most deployments this is additive — nothing breaks. Composite signatures exist specifically to ease migrating older equipment that can't be updated often, and the DTLS 1.3 migration is supported but not forced.
Rust: provider choice, not a rewrite. You'll hear noise about OpenSSL "moving to Rust." It isn't a rewrite, and for everyday use nothing changes in what you do.
A roadmap you can actually influence. A 6–24 month roadmap is being assembled in the open, and community input is wanted. This is the cheapest way there is to be heard — a comment costs you five minutes.

Where the questions got answered — heads down, mid-week.
A personal note from the week: organising five days of this, what struck me most was how often the room's hardest questions were really small-business questions — who can afford certification, who has time to rebuild from source, who gets stuck when a third-party Windows build disappears. The answers landed well, in my view. But every one of those discussions happened about you rather than with you, and that's the part I'd like this community to change.
Which brings me to the ask. Both advisory committee seats for Small Businesses — BAC and TAC — are vacant. That means no one is carrying your priorities into exactly the discussions above. Getting a seat is genuinely as easy as nominating yourself — the process is described here. If you've ever read a roadmap item and thought "that's not how it works for shops our size" — you're qualified.
And whether or not a seat interests you, I'd like to hear from you right here: What would make OpenSSL easier to adopt in a small shop? Which of the items above matters most — or least — to you? What did the F2F miss? I'll carry the follow-ups from this thread into the roadmap and the committees myself until the seats are filled.
— Anton
Fergal MeathMon 15 Jun 2026 5:26PM
@Anton Arapov 1. single biggest issue for our organisation is reducing the footprint for our very small flash. 2. FIPS is not an issue for small business - we'll have a big contract before we need FIPS compliance ;-) I need to get more up to speed on post quantum. 3. MSI would be nicefor us - is this a significant cost for the openssl org?
Aditya KorangaThu 18 Jun 2026 7:05AM
From a Small Business perspective, we are hearing a lot about CBOMs these days. However, in many cases we do not directly implement or own any cryptography ourselves. We use software and infrastructure components such as NGINX, API gateways, load balancers, and other applications that rely on cryptographic libraries like OpenSSL, often using their default cryptographic configurations.In such scenarios, who do you see as responsible for generating and providing the CBOM? Should it come from the cryptographic library provider, the application vendor, or the operator deploying the application? Also, for an application using OpenSSL with mostly default configurations, what level of information would be useful in a CBOM? Have you seen any examples of CBOMs for OpenSSL-based applications, and how granular do you think they should be?
We have softwares/products written in rust and there is no single all-in-one rust crypto project that we can directly use, basically vast number of rust crates from different sources , so we utilise some Rust brindings/wrapper for openSSL which we are not very happy to use, so the news about rust provider for OpenSSL is really helpful for us.particularly encouraging and highly relevant to our needs.
Anton Arapov ·Thu 11 Jun 2026 7:19PM
What's still open from the F2F where this community's answers actually change the outcome, and what's already being worked on your behalf.
Open items — a one-line reply to any of these is enough:
Adoption cost. What's the single biggest friction adopting the OpenSSL Library in a small shop — building from source, finding trustworthy Windows builds, FIPS setup, documentation, or verifying downloads? Pick one (or name your own).
Priorities. Of the four announced items — official Windows builds, simpler FIPS, the compliance one-pager, post-quantum — which one matters most to you? And is there one that doesn't matter at all?
Installers. In your environment: is .exe banned and MSI required, the reverse, or are both fine? One word answers welcome.