What the Brno F2F means for Small Businesses — and an invitation

Hi all — Anton here. I organised the OpenSSL F2F in Brno this May, and I'm bringing the update to this community personally: the Small Business seats on both advisory committees are currently vacant, so there was nobody to carry it to you. More on that at the end, because it's fixable — and easily. The short version: less effort to adopt, FIPS only if you need it, post-quantum without drama — and two empty seats with your community's name on them.

The welcome committee, Brno-style. The real agenda was less cuddly.

First, the substance. The full F2F write-up is running in two committee spaces, and they're worth visiting separately: the BAC thread is where the business and governance discussion is unfolding — compliance, roadmap priorities, sustainability — while the TAC thread carries the technical conversation, with links to the standards drafts and specifications behind it all. Different rooms, different follow-ups; both readable by anyone. Below is the part that matters if you run a small operation, framed the way I'd want it framed if I were in your seat: what it costs you, what it saves you, and what you can safely ignore.

Less effort to adopt and trust. Official Windows binaries are coming — MSI and plain executable installers, with a lightweight option if you only need the command-line tools — so reliance on third-party builds can end. Releases are now signed on hardware security modules under a published process; the signing certificate, its fingerprint, and how to verify a download are all documented on the official downloads page, so checking what you fetched takes minutes, not expertise.

FIPS only if you need it. The FIPS module ships in the build but stays off until you switch it on in config. No burden if you don't need it; a much simpler path if you do. And if customers send you SOC 2 / ISO / SLA questionnaires that don't fit open source, a compliance one-pager is being prepared that you'll be able to hand over as a ready answer.

Post-quantum without drama. Post-quantum signatures (ML-DSA, (FIPS 204)) are on by default, post-quantum key exchange (ML-KEM, FIPS 203)) is opt-in, and for most deployments this is additive — nothing breaks. Composite signatures exist specifically to ease migrating older equipment that can't be updated often, and the DTLS 1.3 migration is supported but not forced.

Rust: provider choice, not a rewrite. You'll hear noise about OpenSSL "moving to Rust." It isn't a rewrite, and for everyday use nothing changes in what you do.

A roadmap you can actually influence. A 6–24 month roadmap is being assembled in the open, and community input is wanted. This is the cheapest way there is to be heard — a comment costs you five minutes.

Where the questions got answered — heads down, mid-week.

A personal note from the week: organising five days of this, what struck me most was how often the room's hardest questions were really small-business questions — who can afford certification, who has time to rebuild from source, who gets stuck when a third-party Windows build disappears. The answers landed well, in my view. But every one of those discussions happened about you rather than with you, and that's the part I'd like this community to change.

Which brings me to the ask. Both advisory committee seats for Small Businesses — BAC and TAC — are vacant. That means no one is carrying your priorities into exactly the discussions above. Getting a seat is genuinely as easy as nominating yourself — the process is described here. If you've ever read a roadmap item and thought "that's not how it works for shops our size" — you're qualified.

And whether or not a seat interests you, I'd like to hear from you right here: What would make OpenSSL easier to adopt in a small shop? Which of the items above matters most — or least — to you? What did the F2F miss? I'll carry the follow-ups from this thread into the roadmap and the committees myself until the seats are filled.

— Anton