OpenSSL Communities

Meeting Minutes: Corporation TAC Kick-off (2025-06-16)

AA Anton Arapov Public Seen by 76

Summary

The Technical Advisory Committee (TAC) kickoff meeting welcomed members, including Nicola Tuveri, Shane Lontis, Dmitry Belyavskiy, Aditya Koranga, and Paul Yang, and outlined the OpenSSL mission and the new governance model splitting into the OpenSSL Foundation and Corporation. Anton Arapov detailed the community structure with the Business Advisory Committee (BAC) focusing on roadmap priorities and the TAC providing technical advice, alongside a new workflow for managing development input. The TAC's role and principles were discussed, emphasizing community engagement, technical insights, and independence, supported by a discretionary budget; initial steps include community outreach and connecting with BAC counterparts, with plans for monthly meetings and a program committee for the OpenSSL Conference 2025, seeking diverse speaker proposals, while financial and organizational structure were also addressed by Tim Hudson and Anton Arapov.

Participants

  • OpenSSL Corporation

    • @Anton Arapov

    • @Tim Hudson

  • Advisory Committee Members

    • @Nicola Tuveri (Tampere University) – Academics

    • @Shane Lontis (Oracle) – Committers

    • @Dmitry Belyavsky (Red Hat) – Distributions

    • @Aditya Koranga - Individuals

    • (excused) @Craig Lorentzen (Amazon Web Services) – Large Business

    • @Paul Yang (ToneFlow) – Small Business

Meeting Highlights

  • Meeting Welcome and Introductions Anton Arapov welcomed everyone to the Technical Advisory Committee (TAC) kickoff meeting and congratulated the members. He noted the absence of a large business group representative and mentioned recording the session for those who couldn't attend. Participants, including Nicola Tuveri representing academics, Shane Lontis representing committers, Dmitry Belyavskiy representing the distribution community, Aditya Koranga representing individuals, and Paul Yang representing individuals, introduced themselves and their affiliations.

  • OpenSSL Mission and Values Anton Arapov emphasized the OpenSSL Mission: providing access to security and privacy tools as a fundamental human right. He stressed the importance of filtering all decisions and considerations through this mission and values.

  • OpenSSL Corporation Overview and Governance Anton Arapov provided an update on the size of the corporation, mentioning the operations, marketing/communication, and engineering teams, including upcoming new hires. He explained the new governance model implemented in March 2024, which split the former single entity into two autonomous entities: the OpenSSL Foundation (non-commercial) and the OpenSSL Corporation (commercial). Both entities have separate boards of directors but share a set of members. This change aimed to better serve different communities.

  • Community Structure and Advisory Committees Anton Arapov outlined the community structure, including members, the Business Advisory Committee (BAC), and the TAC. The BAC, formed earlier, focuses on the "what" by determining roadmap priorities based on community needs. The TAC, in contrast, addresses the "how" by providing technical advice and ensuring community voices are heard in technical decision-making. Anton encouraged TAC members to connect with their BAC counterparts.

  • Addressing Past Challenges and New Workflow Anton Arapov discussed past difficulties in providing timely answers regarding feature availability and release schedules. The establishment of two companies and the creation of advisory committees are intended to address these challenges. A new workflow includes a rotational "wrangler" within the engineering team to manage GitHub issues and PRs. Large feature requests are routed to the BAC, while small features go directly to the engineering project board. This aims to improve external input into OpenSSL Library's development.

  • OpenSSL Projects and Collaboration Anton Arapov briefly mentioned related projects like Bouncy Castle and Cryptlib, noting potential areas for collaboration such as FIPS 140 testing and discussions on new algorithms. Tim Hudson elaborated that the OpenSSL Mission now encompasses a broader range of security and privacy projects. Bouncy Castle and Cryptlib have aligned themselves with the OpenSSL Mission. A recent meeting in Czechia, Brno, fostered interaction between the Corporation, the Foundation, and these projects, with plans for similar TAC gatherings.

  • Role and Principles of the Technical Advisory Committee Anton Arapov detailed the TAC's role as a key advisory body ensuring community technical voices are heard in technical decision-making. The TAC complements the BAC by providing technical insights and validation. Core principles include aligning with industry standards, advocating for best practices, future-proofing OpenSSL Library, and supporting long-term security and performance. Independence from corporation management and open communication are crucial. Tim Hudson emphasized that TAC members should feel free to voice their ideas without undue influence, and any disagreements will be transparent.

  • Collaboration and Support for the TAC Anton Arapov stressed the importance of TAC members actively engaging with their communities and providing constructive feedback. The TAC serves as a liaison to facilitate community engagement. Anton also highlighted the discretionary budget is available to the TAC for community outreach and supporting its mission. Tim Hudson clarified that the corporation has no input on how the TAC chooses to spend this budget, emphasizing transparency in its use.

  • Board Interaction and TAC Operational Aspects Anton Arapov outlined the commitment to regular updates and feedback loops between the TAC and the Board. He reiterated the TAC's autonomy in defining its agenda and the importance of transparent processes. The Corporation is committed to collaborating productively with the TAC and providing necessary resources. Nicola Tuveri requested guidance on effectively using the OpenSSL Communities platform for engagement. Tim Hudson introduced the "TICK" personality profile tool as a communication aid, available upon request.

  • Initial Steps and Call to Action for TAC Members Anton Arapov outlined initial steps for TAC members, including establishing communication channels with their communities, being visible and approachable, and connecting with their BAC counterparts. Tim Hudson noted that some members, like Shane Lontis representing committers, may already have strong community connections, while others will need to establish them. Nicola Tuveri shared their experience as a BAC representative facing challenges in reaching the wider academic community through the current platform and suggested webinars as a potential solution. Tim Hudson offered the Corporation's marketing resources to help organize such webinars.

  • Marketing and Swag for Events Tim Hudson discussed providing marketing materials and swag, like OpenSSL t-shirts, for individuals attending events to represent the community. He emphasized their seriousness in assisting with these requests to broaden their reach beyond current committers.

  • Monthly Meeting Schedule Anton Arapov proposed holding the meeting at the same time slot once a month to consolidate gatherings, which Shane Lontis agreed to, despite it being less than ideal for those on the other side of the earth.

  • OpenSSL Conference 2025 Program Committee Anton Arapov highlighted the ongoing call for papers for the OpenSSL Conference 2025 and suggested establishing a program committee composed of OpenSSL resources from both the Corporation and the Foundation, as well as their advisory committees, to review submissions. This would aid in the review process for the conference planned for an in-person meeting with the business and technical advisory committees in Brno on October 2nd and 3rd.

  • Collaboration on Outreach for Speakers Nicola Tuveri offered to coordinate with Aditya Koranga on inviting speakers for the conference, particularly those in the PQC Alliance and Linux Foundation, to avoid redundant efforts. They agreed they could either divide the task or collaborate and de-duplicate their outreach.

  • PQCA Involvement and Speaker Invitations Aditya Koranga confirmed their interest and mentioned that the PQCA outreach committee meets monthly to identify conferences for potential contributions, including OpenSSL. Aditya personally offered to give a talk at OpenSSL Conference and will also invite other interested members from PQCA.

  • Encouraging Diverse Speakers and Travel Expenses Tim Hudson encouraged Paul Yang and others to invite potential speakers from their communities, regardless of their location. He clarified that while speakers from Large Companies are expected to cover their travel, a mechanism exists to assist speakers who cannot secure funding if their paper is accepted, though this should be communicated on an individual basis.

  • Deadline for Speaker Proposals and Library Ownership Tim Hudson requested speaker proposals as soon as possible to gauge the schedule and areas of interest. Paul Yang inquired about the ownership of the OpenSSL library code, to which Tim Hudson explained that they consider themselves co-equal co-custodians, and the code is available under the Apache license.

  • Clarification on TAC Responsibilities and Focus Shane Lontis raised questions about the responsibilities of the TAC for the Corporation versus the Foundation given the shared codebase. Tim Hudson clarified that both have the same mission and values but with a focus difference: the Corporation on commercial activities and the Foundation on non-commercial activities. This lens affects prioritization, as seen in the example of C99 support, which has different relevance in commercial versus non-commercial contexts.

  • Decision-Making Process and Visible Viewpoints Tim Hudson explained that the split between the Foundation and the Corporation aims to make differences in viewpoint visible, leading to conversations and decisions. Neither entity can unilaterally block progress, and the process encourages those with strong opinions to participate openly rather than a small group privately representing potentially unexpressed views. He emphasized the importance of voicing opinions publicly for them to be considered, using the example of LMS and past issues with the QUIC decisions where community feedback was not public.

  • Addressing Commercial Pressure and Community Engagement Tim Hudson discussed the negative impact of commercial pressure hindering open expression of viewpoints, citing examples in the quick decisions and IETF. He wants to foster an environment where community input through public channels is the primary driver of decisions. He used the example of Intel optimizations, which were implemented based on understanding their importance despite a lack of public demand, illustrating a difference between commercial and non-commercial priorities.

  • Complexity of Usage Models and Organizational Structure Tim Hudson acknowledged the difficulty in defining and quantifying non-commercial use of OpenSSL, using Debian as an example. He outlined the current organizational structure with two boards, two advisory committees, and a combined engineering team, noting that the back and tack have not yet significantly impacted prioritization decisions, especially for the upcoming 3.6 release.

  • Future Technical Priorities and Binary Distributions Tim Hudson suggested that the TAC could focus on fundamental architectural issues like the complexity in provider mechanisms for the 4.0 release. He contrasted this with BAC-related priorities such as performance and addressing legacy issues. He noted that providing decent binary distributions was a high priority for the corporation based on BAC feedback, and very much a shift from the previous source-only approach.

  • Shifting Decision-Making and Addressing Divergent Views Tim Hudson encouraged Shane Lontis to bring forward issues where they felt past decisions were unsatisfactory, emphasizing that the status quo of inaction on certain topics is no longer happening. While acknowledging the existence of divergent views, Tim Hudson believes some of the deadlocks preventing progress have been broken, and the closeness of votes is now more visible, influencing participants' thinking - people who assumed an outcome and seeing the views are different are altering their votes during the discussions. 

  • Importance of In-Person Meetings and Networking Tim Hudson encouraged TAC members to attend the OpenSSL Conference in October, highlighting the value of face-to-face interactions for the BACs and TACs and the energizing effect it has had on the BAC members. He noted that while remote participation is helpful, it's not the same as being there in person and every TAC and BAC member committed to a once-a-year-in-person meeting.

SP

Sougata Pal. Tue 17 Jun 2025 12:38PM

OpenSSL has been planning to work integrating the following algorithms into it's core to be quantum proof: ML-KEM, ML-DSA, and SLH-DSA. How the roadmap looks like for that!

Most importantly is it the right forum even to discuss about it?

AK

Aditya Koranga Tue 17 Jun 2025 1:46PM

Not sure, whether this is the right place for that or not but since you have asked then Yes ML-KEM, ML-DSA and SLH-DSA are already added in OpenSSL Release 3.5 . Plus there are discussions around PQC related things for Release 3.6-- have a look at this.

AA

Anton Arapov Wed 18 Jun 2025 11:56AM

@Sougata Pal. The appropriate way to handle such questions or discussions is to route them through the community or communities you belong to. Since you’re part of the Individuals community, I recommend starting a new thread there to raise your topic of interest.

Members of the Business and Technical Advisory Committees will assist in facilitating the discussion and, if necessary, help guide it toward a resolution.

SP

Sougata Pal. Wed 18 Jun 2025 12:25PM

Thanks @Aditya Koranga and @Anton Arapov for the clarification. I will proceed accordingly.