Update from the OpenSSL F2F — Brno, May 2026

The short version: post-quantum is now the default path, release signing has been rebuilt on hardware security modules, official Windows binaries are coming, a 6–24 month public roadmap is being opened for community input — and each committee member is asked to carry one short brief to their community this week and bring follow-ups back.

Five days in Brno brought the OpenSSL Project, the OpenSSL Corporation, and collaborators from across the ecosystem around one table, and the result is one of the most consequential updates the communities have had in years. The through-line is simple: get ready for the post-quantum world, harden every link of the supply chain, and put the communities — the people who actually run this software — at the centre of the roadmap. Your community will hear about most of this eventually; the opportunity in front of this committee is to be the ones who bring it to them first.

Five days of roadmap, technical, and governance work — Brno, May 2026.

Post-quantum is now the default path — and the transition is designed to be gentle. ML-DSA (FIPS 204) has been added to the default signature set, with ML-KEM (FIPS 203) key exchange available as opt-in — nothing is switched on behind anyone's back. Incremental (streaming) signing moved to a new API in the OpenSSL Library 3.6, and migration guidance will follow before anyone is expected to move. The measured results so far are reassuring: side-channel testing found no ML-KEM timing leakage across Intel, ARM, Power, and S390X. Composite (hybrid) signatures were added to the default provider — deliberately not to TLS — as a bridge for legacy equipment that cannot be updated often, and low-memory implementations are in the works for constrained and embedded devices.

Release integrity has been rebuilt end to end. Signing now runs on two hardware security modules under a published key ceremony and signing policy: an RSA-4096 OpenPGP primary key with yearly-rotated subkeys and published fingerprints, ten-year evidence retention, and EV code-signing for Windows builds in the release pipeline. Looking further out, work has begun on how trust itself is managed — TLS Trust Anchor Identifiers, by which a server presents the smallest certificate that satisfies the handshake, and Merkle Tree Certificates, which build transparency in and shrink post-quantum certificate sizes. Both are open IETF drafts — worth a read for anyone who wants the primary sources.

On Rust: provider choice, not a rewrite. Nothing existing is being abandoned, and there is no forced migration away from C — the provider architecture will simply let applications choose C, Rust, Java, or other implementations underneath. Deliberately, public claims are being held until tested, working code exists; community requirements for any official Rust bindings are being gathered first, so this committee's input arrives before the design hardens, not after.

Getting closer to the people who run the software. Official Windows binaries are coming — MSI and executable installers, separate builds for developers and command-line users, Windows 10 and forward — ending years of reliance on third-party builds; the FIPS module ships in the box but stays off until enabled in config, so nobody's setup changes without their say. Discipline is tightening in parallel: Tier 3 community-supported architectures (Alpha, for example) will be dropped in the next major release, and a firm rule now holds that a change is only carried where the collective can test it, with CPU-specific optimisations validated on real hardware first. The exact Tier 3 list is being confirmed before community announcement — plenty of notice will be given.

Process, AI, and sustainability — the numbers behind it. AI-assisted contributions are welcome where the tool is disclosed and human review confirmed; CLA updates are being prepared. A preliminary analysis of the security mailing list — to be published with its full methodology — found roughly 13% of historical reports appear AI-generated, with the share rising in recent quarters; in response, vulnerability submissions now need a reproducible exploit to be prioritised. The headline compliance figure: a per-module compliance-review approach can cut FIPS certification time by roughly 95% compared with full-box validation. And the roadmap itself is being opened up — a 6–24 month plan assembled in public, seeded with recurring requests (iOS with FIPS, structured logging for Common Criteria, OpenTelemetry) and genuinely shaped by what communities feed in.

Community and academia. A lightweight OpenSSL Academic Network has launched — shared logos, zero financial commitment — and the university contribution model keeps proving itself: roughly 37 student pull requests in the latest course run, around 20 merged. Dedicated community space is booked at Open Source Summit Europe, with further presence planned around a December PKI event in Amsterdam and the April RSA/ICMC window. The Java ecosystem gets its own bridge in OpenSSL Jostle, a provider that brings the OpenSSL Library to Java while keeping the FIPS boundary where it already is.