OpenSSL Communities
Sat 20 Sep 2025 1:59PM

LBC Meeting Minutes Sept 18, 2025

JJ Jeff Johnson Public Seen by 53

Webex Recording and Summary:

Host: Jeff Johnson

Thursday, September 18, 2025

3:59 PM  |  (UTC-04:00) Eastern Time (US & Canada)  |  1 hr 1 mins

If you want others to view all of the meeting content, and you haven't set the preference option to automatically share meeting content, click View meeting content below to view the meeting content page and then share it with others.

If you want to share only the recording with others, share the recording link and password below.

Recording

Topic

Password

September Large Business OpenSSL-20250918 2105-1

qDtMXSf3

Chapters AI-generated

Meeting summary AI-generated

The meeting covered updates on the OpenSSL conference, community engagement, API changes, algorithm standards in the crypto industry, and discussions on AI policy and an upcoming event in North Carolina.

  • Meeting focused on updates regarding the OpenSSL conference and community engagement.

  • Anton emphasized the goal of having at least one attendee from each customer company.

  • OpenSSL established its first headquarters in Brno, Czech Republic, reflecting significant growth.

  • Discussions included careful removal of deprecated APIs to avoid disrupting existing applications.

  • Participants expressed willingness to investigate impacts of API changes on their codebases before implementation.

  • Discussed the lack of standards for algorithms like Proto and Frodo in the crypto industry.

  • BSI customers show a strong preference for specific algorithms, indicating market demand.

  • Concerns raised about implementing new algorithms without established standards or ratification.

  • AI policy discussion initiated regarding AI-generated code in open source projects.

  • Upcoming event planned in North Carolina to engage with the open source community on various topics.

Action items AI-generated

  • Anton Arapov and others are encouraged to have discussions outside of the main event during their time in RTP.

  • Anton Arapov to send out a more specific poll regarding the removal of deprecated APIs to gather community feedback.

  • Anton Arapov to reach out to Panos K and Craig's team about utilizing AWS's build system for dry run builds to test the impact of removing APIs.

  • Jeff Johnson and Barry Fussell to coordinate internally on Cisco's approach to handling engine usage across different product teams.

  • Anton Arapov will check with the team about using open slots at the conference to discuss AI usage in OpenSSL.

  • Anton Arapov will explore the possibility of having a free-form discussion at the conference regarding AI and other big questions.

  • Panos K mentioned he might introduce a couple of algorithms related to primitives and will think about it further before sharing at the upcoming event.

  • William Bellingrath and his team to investigate their codebase for any potential usage of the deprecated APIs, especially engines.

View meeting content

Need help? Go to https://help.webex.com

Anton Notes:

Overview:

The meeting primarily focused on updates and planning around the upcoming OpenSSL conference, outreach efforts within the large business community, future plans for deprecated APIs, the future of OpenSSL’s LTS versions including post-quantum cryptography (PQC) support, and broader security topics such as AI-generated code and entropy requirements in FIPS validation. A few logistical and community outreach efforts, such as an upcoming visit to RTP (Research Triangle Park) and participation in local events, were also discussed.

1. Community Outreach & Meeting Growth

- Anton shared that he has spoken to 20–30 large business clients over the past 1.5 months to raise awareness about the call and the OpenSSL community. He invited them to join the meeting but did not send reminders.

- He expressed a desire to continue expanding the reach of the community and committed to re-following up with contacts who previously expressed interest.

- William from Juniper joined the call for the first time, having previously participated in a Juniper-OpenSSL call.

2. Upcoming OpenSSL Conference

- The conference is scheduled to happen in about three weeks.

- Almost all speakers have registered.

- The current registration count is 200 people, with 100 more yet to register, aiming for a target of 400.

- OpenSSL is offering attendance support, which may include funding and group discounts for clients.

- Anton stressed the goal of having at least one person from each client company attend.

- William confirmed that he and his team are scheduled to give a talk on Friday, outlining their upgrade journey from OpenSSL 1.1.1 to 3.x and associated performance issues and mitigations.

3. OpenSSL Headquarters Established

- The OpenSSL Corporation now has a physical office based in Brno, Czech Republic, with about 12 employees based there.

- The growth of the corporation was noted — from around 4–5 people pre-2022 to 17 employees and 3 contractors today.

- The office's grand opening included a small photo archive that may be shared publicly.

4. Removal of Deprecated APIs

- The OpenSSL team is planning a phased and cautious approach to removing deprecated APIs in OpenSSL 4.0, targeted for April.

- The first focus will be on deprecated engine-related APIs.

- To avoid breakages, stubs may be used to maintain application compatibility.

- Previous polling of the community regarding deprecated APIs was deemed non-representative (12–13% response rate), prompting a more careful and specific follow-up.

- OpenSSL aims to collect further feedback from the community using targeted proposals.

- Participants supported the idea in general but stressed the need for proper evaluation of their internal codebases and dry-run builds to detect dependencies.

5. Build Testing Collaborations

- Anton suggested collaborating with AWS to use their build infrastructure (specifically referencing AWS-LC and its SCI test structure) to simulate the effect of removing deprecated APIs.

- Panos (from AWS) indicated it's possible to run dry-run builds without committing the changes and volunteered Craig Lorentzen's team (from AWS) as a potential point of contact for the initiative.

6. Post-Quantum Cryptography (PQC) & LTS Strategy

- OpenSSL 3.5 and 3.6 support some aspects of PQC like LMS and XMSS (signature verification).

- Anton stressed the importance of encouraging companies to migrate to 3.5 LTS for post-quantum readiness.

- Discussion about FrodoKEM, ML-KEM, and HQC occurred — FrodoKEM being favored by BSI (German cert authority), but its lack of final standardization was a concern.

- Panos noted that cryptographic politics are involved and OpenSSL should be cautious about introducing algorithms too early without adoption consensus or standardized backing.

7. FIPS Certification & Module Boundaries

- Topic raised regarding changes in FIPS certification (e.g., possibly requiring entropy sources within cryptographic module boundaries).

- Consensus voiced that this requirement could compromise the modular approach commonly used in FIPS validation.

- Further guidance may be needed from NIST or CMUF working groups.

8. Recommended and Default PQC Algorithms in TLS 1.3

- Discussion on how OpenSSL should define or recommend default PQC groups in TLS 1.3.

- The current consensus (in the TAC) is to document the defaults but not make performance-based or directional recommendations at this time.

- Panos expressed a personal preference order based on quantum resistance and performance but noted he doesn’t expect OpenSSL to enforce anything.

9. Governance: AI Policy for Open Source Contributions

- Raised by James (not on this call), the question of whether OpenSSL should adopt a formal AI-generated code policy was introduced.

- Discussion acknowledged the growing importance of the topic but also noted the challenge of enforcement and scope.

- There was agreement it’s a complex issue requiring further thought and stakeholder input.

- Anton suggested that the community should first clarify the concern and scope before formulating a policy.

- The idea of hosting a dedicated session on AI code policy during the OpenSSL conference was proposed.

10. RTP Visit – November Activities

- OpenSSL representatives will visit North Carolina in November for a week-long series of events post-conference.

- Key event to attend is the “All Things Open” community meet-up, with OpenSSL acting as a featured participant in an evening forum.

- Cisco and NetApp will also host parts of the agenda.

11. Additional Technical Contributions & Algorithm Additions

- Panos briefly mentioned interest in new non-post-quantum primitives (e.g., HPKE with ML-KEM) as candidates for inclusion in future versions.

- HPKE support in OpenSSL currently uses only ECDH; extending HPKE to post-quantum groups like ML-KEM is under consideration.

- Further discussions to happen in private meetings during RTP week.

Conclusion:

The meeting concluded with thanks and encouragement for stronger engagement in future business community meetings. The upcoming OpenSSL conference, the RTP outreach week, and follow-ups on technical topics (API deprecation, PQC, AI policy, future cryptographic support) are focal points moving forward. Anton emphasized more effective advocacy and consistent communication with large business clients.

End of Meeting.