Once a year, the team that keeps it comes into the same room with the integrators, regulators and partners who ship what they make.
A small room. Three days. The work of the next year, decided by the people who do it.
We believe everyone should have access to security and privacy tools — whoever they are, wherever they are, or whatever their personal beliefs are — as a fundamental human right.
The OpenSSL Library is the world's most widely deployed cryptographic toolkit. It runs in operating systems, browsers, payment networks, satellites, regulated medical devices and the back rooms of every industry that handles a key. By a fair count, it touches well over half a billion users a day.
It is stewarded by a team of around twenty. Maintainers, FIPS engineers, support, legal, ops. Brno, Munich, Auckland, Melbourne, Granada, Spain. The OpenSSL Corporation employs them; the OpenSSL Foundation safeguards the project's independence and the public record; the Advisory Committees keep the room honest.
We're a tiny team. We're twenty people. If we've got funding we expand. What we haven't got is idle engineers.Conversation · partner bank · April 2026
That ratio — twenty people, half a billion users — is the entire reason this conference exists. The work doesn't scale by hiring. It scales by being in the same room as the people who deploy it, regulate it, package it, and depend on it. Three days a year, that room is Prague.
If you do this work, this room is yours. See who's on stage Submit a talk Reserve a seat
Cryptography moves through this industry the way a draft standard moves through a hallway: someone says it to someone, and a week later it exists. The X9.146 hybrid PQC certificate work happened that way — Wells Fargo, Bouncy Castle, Wolf SSL, OpenSSL — over conversations and a couple of glasses of scotch. Now it is a draft, and three implementations interoperate.
And David said to Peter, and Peter said, yeah, I'll do it. And it gets done. It's a really small industry.Conversation · partner bank · April 2026
The pattern repeats. Coalitions of the willing — five or six vendors who each put a few dollars in — produce things no single company could justify. That is how the original FIPS module shipped. It is how the BSI / EUCC module will ship if the room agrees. It is how the next standard will be tested, the next provider written, the next migration funded.
The unit of currency is small and specific: one engineer-year. That is the price of an enterprise tier — a developer, on your platform, every day, finding the breakage early instead of six months late. It is the smallest meaningful commitment. The room knows this. Most of the room is this.
We're ruthless at automation and cost control. Because we're so small, we just see problems differently. Where you'd cost X, we might come in at a tenth.Conversation · OpenSSL · April 2026
The governance follows from the size. The Foundation and the Corporation are co-equal — either body may say yes; neither may say no to the other. The Advisory Committees, Business and Technical, are elected from the community. The approval process is an email that says yes. That is not a slogan. That is the actual process.
This is why the conference is in person. A coalition forms over a coffee, not a calendar invite. A maintainer agrees to a piece of work because the person asking is across the table, not on a thread. The hallway is the work. The talks are the index to it.
The volume of inbound security reports landing on open-source cryptographic projects has multiplied by an order of magnitude in eight weeks. Not because the bugs multiplied. Because the tools writing the reports did.
Some of it is excellent. The false-positive rate of the best tools is approaching zero, and important things are being found. Most of it is noise — proofs-of-concept that don't reproduce, severities that are either nothing or doomsday with nothing in between, twenty reports of the same finding from twenty different addresses.
We don't let a day go by without incidents coming in. We're hiring an actual security-coordination person — for the corporation, just to help with the stuff that's coming through.Conversation · cryptographic project lead · April 2026
Twenty people cannot triage at this rate without help, and help cannot be hired at the speed of the inflow. Open source has three current responses: ban it, ignore it, or be slowly consumed by it. None of those is acceptable. A fourth response has to be invented, and it has to be invented with the people on the receiving end.
OpenSSL 4.0 is in the field — the release that retired the ENGINE API after twenty-six years and put the project's governance on the public record. Post-quantum cryptography stopped being a research topic: ML-KEM, ML-DSA and SLH-DSA are FIPS standards, shipping in the Library, interoperable with fifteen providers, one command from a working TLS session.
X9.146 — hybrid PQC certificates — is in draft and has three interoperating implementations. FIPS 140-3 validation continues with Lightship Security and the new Teron Labs partnership. BSI and EUCC are diverging from FIPS in ways the room needs to reconcile, and a coalition is forming to do it.
Code-signing has been hardened with Entrust nShield HSMs. The Brno office is open. The Faculty of Informatics at Masaryk University is a partner. The flood from § 05 has put security coordination on the hiring plan.
None of that is press-release filler. It is the work of the next year, condensed into three days of talks, hallway conversations, code, and the kind of decisions that only happen when the people who do the work are in the same room.
Maintainers and committers. Engineers integrating the Library into operating systems, devices, networks and regulated products. The legal and policy people reading the Bylaws, the eIDAS files, the NIS2 obligations, the BSI profile.
Distributions packaging OpenSSL for the world. Member banks running PQC pilots in production. Hyperscalers running the third-party crypto desk. The Business and Technical Advisory Committees. The sponsors who keep the lights on. Researchers and students arriving with their first patch.
If you have real-world work on cryptography, FIPS, post-quantum, governance, or the OpenSSL Mission — this room is yours. The Call for Papers is open until 15 June 2026.
Three days. Four halls. Twenty maintainers, the people they answer to, and the people who ship what they make. Prague — the city that taught Europe to glow — for the people teaching the world to keep a secret.
Come on the record. Submit a paper, take a seat, sponsor a chair, file a patch, ask a hard question. The Library is the work of the room. The room is open until 15 October 2026.