The latest news, insights, and what we’re hearing between sessions. Our daily journal straight from the Moscone Center floor, compiled by our boots-on-the-ground team, including Leo Grove, President and CEO of SSL.
Monday, March 23, 2026
From Dustin Ward, SSL EVP of Technology:
RSA Conference (RSAC) is the largest cybersecurity event in the world. Every year, tens of thousands of security professionals congregate in San Francisco’s Moscone Center to discuss what’s in the pipeline, what’s broken, and what we need to do about it. It’s where the industry sets the agenda.
Here’s what I’m hearing across the industry:
- Organizations know Post-Quantum Cryptography is coming, but don’t know where (or how) to start
- AI is creating new attack surfaces and new trust requirements simultaneously
- C2PA and content provenance are moving from “interesting” to “essential”
- Certificate lifecycle management is getting more complex across both public trust and private PKI
- Most teams are managing all of the above with yesterday’s tooling
One session in particular stuck with me more than most. It focused on the move toward 47-day certificate lifetimes: going from 398-day certs to 200, then 100, and eventually 47. That’s an 8x increase in rotation frequency, and it’s not a compliance problem, it’s an operational one. If your answer is still manual processes and loosely connected tooling, you’re already behind. And single-CA dependency becomes a real risk when you might need to replace your entire certificate footprint in 24 hours.
This is something we’ve been leaning into at SSL.com: private PKI for use cases where public trust isn’t the right model, and true backup CA readiness where validations are already in place, issuance paths are established, and you can shift traffic or issue in parallel when it counts.
Beyond certificates, two themes dominated almost every conversation today: AI and PQC.
On the AI side, agentic AI was everywhere today, a productivity revolution that also presents serious risks, from AI-driven attacks to the challenge of governing autonomous agents acting on your behalf. How do we authenticate AI-generated content? How do we secure the models themselves? This is where standards like C2PA and strong PKI aren’t just nice-to-haves. They’re becoming foundational.
On the PQC side, NIST has finalized its post-quantum standards. The migration clock is ticking. If you’re responsible for anything that touches certificates, whether it is public trust TLS/SSL, private PKI, code signing, C2PA content authenticity, the question isn’t if you need a PQC transition plan. It’s whether you already have one.
This is the stuff my team and I work on every day at SSL.com. Please don’t hesitate to reach out if any of these topics are top of mind.
This journal updates daily through RSAC week. Check back tomorrow for Day 2 coverage, and follow us on LinkedIn for real-time highlights from the floor.
Want to talk about how your organization is preparing for shorter certificate lifecycles, multi-CA readiness, or post-quantum planning? Our team is at RSAC this week. Let’s connect.