The OpenSSL Corporation Advisory Committees

I made my first contribution to OpenSSL around 2008 when I was a young, bright-eyed, bushy-tailed PhD student. Since that time, as an academic I’ve used OpenSSL as a basis for the vast majority of my research. Over the years, I’ve discovered and (responsibly) disclosed quite a few vulnerabilities in OpenSSL, most of which have CVEs assigned (grep around in CHANGES.md). What separates me from most other academics who use OpenSSL in their research is, I typically contribute software patches for fixes myself, not just point out problems. I’ve also helped with API and functionality issues, particularly in the EC module. I also enjoy contributing to unit and regression testing, either porting public test cases to OpenSSL or designing my own, both positive and negative tests. For an academic, I consider myself pretty active on OpenSSL’s GitHub, submitting my own PRs and/or participating in discussions. At RIT, I run a course called “Open Source Software Security” which I built on OpenSSL. My students are required to submit PRs to the project, and some of them even get merged :D. I feel like my current roles at RIT position me nicely to serve on the BAC. My leadership role in RIT’s GCI entails plenty of committee-based decision making, which is in fact quite abundant throughout academia at large. Topically, I bring not only my own state-of-the-art expertise in my academic discipline, but also exposure to RIT’s significantly broader academic community, packed with far more talented scholars than myself. In summary, I’d be honored to serve on the BAC, allowing me to continue to contribute to OpenSSL, yet in a more formal way!

I have almost a decade of experience working closely with and for the OpenSSL project, including five years as an OMC member and seven years as a committer and as an OTC member. I have spent thirty-five years working for businesses from start ups to large multinational corporations on a wide range of security applications, which has afforded me knowledge, acumen and insight into the business requirements and priorities of the project and its community. I understand the nature of the funding model and I am a primary developer responsible for several of its key components. Given my background, I’m confident that I can facilitate nuanced input that represents the consensus of the committer community to inform the decisions and direction of the project via a BAC role.*

I’m Jaroslav Reznik, long time Red Hatter and open source enthusiast, currently working as Compliance Program Manager in Red Hat’s Product Security Compliance team. I believe I can provide value to the OpenSSL Corporation Business Advisory Committee as Red Hat is well known OpenSSL community member, I have experience with FIPS 140 and other cybersecurity regulations important for OpenSSL and I believe sharing the same goal can benefit both OpenSSL and Red Hat. In my background, I have a lot of experience in the distribution ecosystems, mainly in Red Hat Enterprise Linux and Fedora - from engineering work (packaging, bringing up a new architecture), through release management, security updates handling to compliance. Even though I don’t have a direct OpenSSL community experience yet ;-), I have a deep open source community background as I was Fedora Program Manager in the past for four years and I was on Fedora Board (as an elected member) and Fedora Council (as an appointed member). This gave me an unique experience of being a person between community and corporate entities and help shaping the Foundation and the Corporation cooperation.

I have been the community maintainer for the NonStop port of OpenSSL since 1.0.2. My participation in Open Source goes back to the early 1990s, when I was involved in porting NFS, RPC, and other smaller components to the NonStop platform. I started in the industry in 1979. My contribution for BAC of the Foundation or the Corporation is to provide perspectives and experience from exotic platforms to the OpenSSL team. I have served on the boards of directors of two companies (one as chair) and the Richmond Hill Board of Trade (director and chair). I also have extensive experience with Roberts New Rules of Order.

I would like to nominate myself to represent the large business community in the Corporate BAC. I have long believed the work that OpenSSL does is critical in securing the world’s communications and data. This, of course, is fundamental in securing every individuals right to privacy. Within the context of my position at Cisco, I have been fortunate to work with OpenSSL and other open source initiatives such as Open Quantum Safe (OQS). This work has taken many forms; research funding, in-kind engineering resources and sponsoring. I strongly believe in a corporation’s responsibility to protect customer’s (ultimately all individual’s) right to privacy and a great way to ensure this right is to work with critical broadly adopted open source initiatives. I am fortunate that in my position at Cisco my team enables these same principles in software deployed across the portfolio, thereby affecting millions of individuals across the globe. My professional passion is that; making these principles a reality in products and systems used by real people around the globe. I look forward to assisting OpenSSL in their endeavors to engage with the corporate community. During my 25 years at Cisco, my position as a leader in delivering common security modules across the Cisco portfolio, has exposed my team to 100’s of CIsco products and services (if not 1000’s). As such, my team is at the forefront of customer requests and issues. My team has firsthand knowledge of requests for new technologies and capabilities. Additionally my team is responsible for delivering security software that is capable of being integrated into these products that enable global certifications (FIPS, Common Criteria, etc). In this last case, my team is heavily involved with NIST via NCCoE to advance the automation of FIPS certifications (ACVP and AMVP). Given all this, what would I want to do in this position? It’s simple really. Help build a relational community where others can share their voices to advance a common goal. A community where disagreement is considered diversity of thought and isn’t avoided. A community dedicated to the success of open source and in particular OpenSSL. This journey isn’t particularly easy but as my father told me, “nothing worthwhile is easy.” In my position at Cisco I am encouraged by my leadership, to further Cisco’s relationships with open source initiatives. My leadership is fully supportive of my commitment and participation in such endeavors (such as Linux Foundation PQCA), both in time and travel. (if a further written commitment is needed from my leadership I can get that.) (On a personal note, I really want to improve the relationships and communication between open source initiatives and corporations such as Cisco. I feel like these relationships can be needlessly adversarial at times. I honestly believe the relationships could be and should be mutually beneficial, especially considering the outcomes both desire. Cisco has stated that an individual right to privacy is a fundamental and universal right shared by everyone across the globe. I believe that’s where a better relationship can start…. by understanding our common and core values and working together for the benefit of everyone.)

James is an information technology professional specialising in cybersecurity and software development, predominantly, in the media and entertainment industry. In addition to technical disciplines, his expertise includes strategy, operations, governance, accounting, budgeting, negotiation, talent acquisition, team building, and mentoring. James’ roles and titles include: CEO of FireDaemon Technologies Limited. Media & Entertainment Cybersecurity and SSDLC Specialist. TPN Assessor. Animation, VFX, and Post Production Systems Administrator and Engineer. With his outstanding patience and communication skills, he is able to summarize and convey issues clearly and concisely, and I can confidently endorse him as a valuable member of the BAC. Additionally, James has overseen the FireDaemon’s adoption and promotion of OpenSSL by:

• Making available OpenSSL binaries for Microsoft Windows including build scripts and other technical advice regarding integrating OpenSSL for free. The link can be found via the OpenSSL Wiki
• Integrating OpenSSL into FireDaemon shrink-wrapped software products including FireDaemon Fusion (web services/API), FireDaemon Certify One (TLS verification), and FireDaemon Lozenge (checksums). Seehttps://www.firedaemon.com/products
• Offering bespoke OpenSSL software development services. Seehttps://www.firedaemon.com/software-development-services

A Researcher at Tampere University (Finland), I contributed to OpenSSL for the first time in 2010, later I had the honor of becoming an OpenSSL Committer and I have been serving in the OpenSSL Technical Committee since 2019. I have also been serving the Academic Community as a representative in the OpenSSL Foundation BAC.

My research specializes in software and micro architecture side-channel analysis and the integration of modern cryptosystems (lately mainly PQC) in mainstream libraries such as OpenSSL.

I have actively participated as an OTC member and committer over the last 5 years. I have been working as an applied cryptographer for more than a decade and have been coding professionally for over 30 years.

My technical contributions to OpenSSL include the implementation of low-level algorithms (RSA, DSA/DH, SLH-DSA, and ML-DSA), as well as the design and implementation of the FIPS provider. Besides knowledge and experience, I take care to communicate and collaborate effectively with other members of the community. My work is always undertaken with honesty, integrity, and consideration for my colleagues.

I have 20+ years of experience with OpenSSL development, have been a Committer since 2019 and a member of the OpenSSL Technical Committee since 2021. I am an OpenSSL maintainer in RHEL, CentOS, and Fedora Linux distributions. My last major contribution to OpenSSL was the introduction of opaque objects for dealing with non-extractable symmetric keys (EVP_SKEY).

My main interest in OpenSSL development is its pluggability. As much extending the functionality as possible should be doable via the providers mechanism. I also think that we need to provide more handles for extending system-wide and application-wide configuration of OpenSSL as a framework.

I believe that something like maintainer’s club should be established. This club could also participate in decisions about feature branches and be involved in the CVE process.

I think that we currently don’t have enough people to review the PRs. I think we should add the role of reviewers to the role of committers. I believe that the distribution’s representatives and the representatives of major companies having their forks should be granted the status of reviewers.

I think that for better communication with various communities OpenSSL, both Corporation and Foundation, should introduce the practice of Open Hours.

Aditya Koranga is a leading expert in Post-Quantum Cryptography (PQC), Telco Security, and cloud-native technologies, currently serving as the Vice Chair of Post Quantum Cryptography Alliance(PQCA)’s TAC & Chief Security Architect at CORAN LABS, playing a pivotal role in designing and implementing various cryptographic suites and frameworks.

Aditya’s expertise spans a range of open-source projects, including OpenSSL, liboqs, cuPQC, Bouncy Castle, StrongSwan, etc. Along with that he has also led open-source communities such as ngKore and Magma India.

Aditya also focuses on the optimization of cryptographic algorithms for example in KEM algorithms: modifying distribution methods, noise sampling, and NTT reduction schemes. He has worked on cryptographic benchmarking, hardware/software crypto acceleration, and authored several technical blogs, white papers, technical reports, deployment videos on several cryptographic tools including OpenSSL and has patents in Post Quantum security.

Beyond his technical expertise, Aditya is a writer, a poet, and a rapper(sometimes, on the weekends) who enjoys reading RFCs before going to bed.

“As a TAC member, I will drive its adaptability, ensuring cryptographic solutions are effectively used and integrated into real-world applications. My focus will be on expanding contributions, fostering collaborations, and bringing more impactful individuals under OpenSSL. Beyond development, I believe in the right alignment between innovation and marketing and will work to unify the community, and ensure transparency so we can move forward together. I will also support the community in executing the OpenSSL Foundation and the OpenSSL Corporation vision, helping wherever needed to strengthen our collective mission."

As a security engineer with two decades of experience, Craig brings technical depth and practical expertise to the advisory committee. In his current role at Amazon Web Services (AWS), he serves as a trusted security advisor to development teams addressing complex challenges around performance, compliance, and security at massive scale. He provides critical guidance on integrating OpenSSL across AWS’ service portfolio protecting millions of customers globally.

Craig’s extensive background bridging both defensive and offensive security, coupled with hands-on experience supporting the world’s most comprehensive and broadly adopted cloud, enables him to represent the crucial perspective of enterprise organizations while understanding the technical challenges faced by the broader security community. His mastery across the security spectrum from infrastructure to offensive security is confirmed by attained credentials including the Security CCIE (2012), ISC2 CISSP and CSA CCSK (2015), SANS GXPN and OSCP (2020). His collaborative approach and proven track record make him an ideal candidate to help shape the future direction of this important initiative.

I began contributing code and documentation to OpenSSL eight years ago and have served as a committer since 2018. My career in cybersecurity started in 2008 with the development of network firewalls and cloud security products. A decade ago, I joined Alibaba, one of the world’s largest e-commerce company, where I led encryption initiatives for critical platforms like Taobao and Alipay. This experience solidified my expertise in cryptography. Later, at BaishanCloud, a startup, I organized a visit by the OpenSSL team to China, which deepened my technical and strategic understanding of the project.

Over 17 years, I’ve transitioned from startups to tech giants. While currently employed at a large corporation, I also founded a music technology startup that relies on cryptography to protect customer data, musical intellectual property, and secure remote music education. I strongly align with OpenSSL’s mission and believe that I can provide the unique perspective of small businesses in providing advice to the Corporation in its decision-making processes having worked in both small and large businesses. If elected, I will strive to represent our community in steering the project to address small businesses’ needs, facilitating easier access to robust, high-quality security capabilities. Let’s secure OpenSSL’s success in another three decades.

• Go to the OpenSSL Communities website and click “SIGN IN“.
• Create your account by entering your email address and clicking “CONTINUE WITH EMAIL“.

• Fill in your name and surname and click “CREATE ACCOUNT“.

• Enter the code from your email address and click “SIGN IN“.
• Choose the community or communities you associate with and want to represent and click “JOIN GROUP“.

• Please specify why you want to join each community you wish to participate in.

• You will receive a notification once the administrators approve your request.

If you have any questions or need assistance, please contact us at communities@openssl.org.