David Vedvick

Notes

Open Source 2026 Notes

Everything You Learned about TLS is Deprecated: New SSL

Todd Gardner (CertKit, Founder)

  • RSA: acronym for Rivest, Shamir, and Aldeman (founders of RSA security)
    • RSA, key exchange
    • RSA, cert key
    • RSA, signature algorithm
    • RSA, the company

TLS Before ~2013:

  • Domain Validation - proves you control the domain.
  • Organization Validation - CA "verifies" your org exists.
  • Extended Validation - Green banner with company name
  • Same encryption for all levels of validation.

Certificates

  • CA/Browser Forum
    • Self-regulating body of CAs and browser vendors
    • Baseline requirements: rulebook for CAs to be in browsers.
    • Pay CA, cert valid for 5 years
    • Basically a protection racket.
  • In 2011, DigiNotar was completely compromised.
    • Issued rogue certificate for Google.com in Iran
    • Hacked by unpatched software, internet-exposed internal services, and default passwords.
    • They had passed their security audits.
  • In 2013, Snowden happened.
    • Raw data collected from commercial partners
    • Extracted raw data from fiber-optic cables
    • "Harvest now, decrypt later" philosophy was followed.
    • NSA got decryption keys via coercion or collaboration.
  • Perfect Forward Secrecy
    • Cert still proves identity.
    • Encryption uses ephemeral (one-time) keys (using Diffie-Helman).
  • Google: stop trusting audits, start logging.
  • Certificate Transparency:
    • Public, append-only log of issued certificates.
  • wget certkit.io/tools/ct-logs/?example.com -> Todd's company.

Encryption

  • 2005: SHA-1 was shown to not be collision free.
  • 2015: "The SHAppening" - freestart collision.
  • 2017: CWI & Google: "SHAttered" - full collision.
  • 2014: Heartblead: buffer overflow in OpenSSL
    • Sites with PFS: "our key may have leaked, but pas sessions are safe."
    • Without PFS: "assume everything is compromised"
    • Hundreds of thousands of certs needed to be revoked, infra coulnd't handle it.
  • CRL: Certificate Revocation List -> grew huge, slow, stale, and almost no one looked at them.
  • 1999: OCSP: Online Certificate Status Protocol -> poor reliability, privacy, considered optional, leaks entire browser history through calls to OCSP.
  • 2003: OCSP Stapling: hard to implement.
  • 2012: Chrome drops OCSP: "seat belts that snap in a crash".
  • 2015: Let's Encrypt: Free, atuomated CA, and a automated certificate issuance protocol.
    • ACME: the protocol
    • Let's Encrypt: the CA.
    • Free Certs, short lifetime (90d), fully automated.
    • Other CA's: enterprises can't handle automation.
  • 2017: Google proposes 1 year cert lifetimes.
    • Symantec was caught issuing unauthorized certs, including google.com.
    • Submitted audits from unlicensed auditors, more than 30,000 miss-issued certs.
  • 2018: Bygone SSL: domains change hands, certificates don't.
    • 1.5m domains with certs owned by someone else.
    • 45-day certs would reduce takeover by 95%.
  • 2019: EV Death: nobody checks the company name, so not secure, so DV, EV, OV went away.
  • 2020: CA/Browser Forum: Apple announces certs no longer trusted over 398 days.
  • ACME became an IETF standard
  • Cert lifetimes:
    • 2026: shortened to 200 days
    • 2027: shortened to 100 days
    • 2029: shortened to 47 days
    • ...
    • Cert authorities must handle distributing fast-changing certs.
  • certkit.io: a certificate lifetime manager.
  • Quantum computing is expected to break Diffie-Hellman.
    • PFS might not be so perfect anymore.
    • NSA might break traffic with Quantum computing.
    • Post-quantum cryptography is coming.

Earning Trust One Metric at a Time

Shaun Jurgemeyer, Ewan Ng, rbauction.com, ritchiebros.com

  • Symptoms of Broken Data Platform
    • Stakeholders building shadow spreadsheets
    • Sprawl of one-off reports
    • analysts reconciling instead of analyzing
  • Data plumber problem
    • No official definitions
    • Multiple sources of truth
    • No consistent tooling
    • Legacy systems onboarded and never revisited
    • No data governance
  • Enabling clarity with semantic views
    • "Semantic": getting the definition that works for the business.
    • "Ontology": a map of your business domain.
  • Semantic Modeling:
    • Shared meaning
    • Reuse over rework
    • Built-in governance
    • Foundation for AI
    • Types:
      • Knowledge Graphs
      • Governed Metrics; definitions written once, not copy-pasted into every dashboard or query.
      • Ontologies
      • Metadata Model

Business ontology

A formal description of the entities, attributes, and relationships that make up a business ― the shared vocabulary.

  • Describes the business, not any particular system or table. Definitions persist when the tech evolves.
  • Captures relationships.
  • Shared vocabulary.
  • Why it matters:
    • Terminology based on business definition.
    • Shared vocabulary across all domains.
    • Foundation for every metric downstream.
    • Business and data speak the same language.
  • Building an Ontology:
    • Engage with business owners.
    • Mine existing docs using AI tools.
    • Produce a structured strawman (ed: plant a flag in the ground)
      • The output is a first-cut ontology ― not a source of truth, but something concrete for business owners to react to. A blank page produces nothing, but a strawman produces a working session.
  • Publishing the data matters as much as defining it.
    • End users need definitions in the moment.
    • Discovery is part of governance.
    • The catalog has to be accessible to everyone.
  • Define once, reuse everywhere.
  • How do you know it's working?
    • Quantitative: certified content adoption, decline in ad-hoc report requests.
    • Qualitative: stakeholder confidence in reviews, analysts shifting from reconciling to analyzing.

Four Principles of Governance

  • Trust earned in small, consistent decisions, not big launches
  • Governance is a service, not a gate.
  • Semantic layer is where the business and the data meet.
  • Start with metric definitions. The technology follows.

3 Questions to Ask

  • Have you defined what your core business terms actually mean?
  • Can your end users find the governed definition without asking IT?
  • Does your data team understand the business meaning of what they're building?

Small Language Models

Kelly Calendine (Genesis10), Chike Okonta (Health Partners)

  • Task-Specific AI Models
    • Contextualized, reliable, and cost-effective
    • Latency matters
  • SLM:
    • Typically 1M to 10B parameters
    • Able oto run in environments where compute and memory is limited
    • Inference efficiency (cents per 1M tokens)
    • Specialized intelligence in a specific domain
    • Accessible - lowers the abrrier for researchers and developers to experiment with
    • Factual trade-off - smaller sizes might be better at reasoning, but have reduced capacity for retaining broad, trivia-based knowledge.
  • LLM:
    • LLM: 70B to 1T parameters
    • Dollars per 1M tokens

SLM flow:

flowChart LR

LM --> Controller --> t1[Tool #1]
Controller --> t2[Tool #2]

Shrinking Models

  • Distillation
    • Training a smaller model to mimic behavior of larger model.
  • Quantization
    • Reducing numerical precision of weights.
  • Neural Pruning
    • Removing redundant pathways that contribute minimally to model's final predictions.
  • Mixture of Experts
    • Activating only a specific subset of parameters during inference to minimize latency and energy consumption.

See: TurboQuant, gemma4

Duplicating Layers

  • LLM Neuroanatomy: Topping the LLM leaderboard without changing a single weight.
  • Duplicating middle layers increases curve fitting?

Agentic AI Tools

  • Helios: EVTOL command center
  • Finocurve
  • Node enterprise/Dynamic Agent Network
  • Synescura
  • A2A - "MCP for agents", standardizes communication between agents

Challenges

  • Bias, generaliation: SLM's can inherit and amplify biases from larger teacher models
  • Adversarial Robustness: more prone to errors when faced with ambiguous scenarios or adversarial inputs.
  • Increased hallucination.

Real-World Applications

  • Predictive maintenance
  • Vehicle nav
  • Content summarization

From Vibe Coding to AI DLC

Paul Delaria, John Husemoller, AWS Solution Architects

  • Your own chief of staff?
  • They've shortened their architecture problem solving time from 2w to 2.5h.
  • Context is king, as always for LM's.
  • Kiro - AWS AI IDE.
  • Don't get attached to outputs?
  • Share skills for interviews and such.

AI-DLC

DLC: "Development Lifecycle" (without the software? :D)

  • AI orchestrates development.
  • AI DLC Steps:
    • Mob Elaboration
      • Build context on exxisting code
      • Elaborate intent with user stories
      • Plan units of work
    • Mob Construction
    • CI/CD

Building your own MCP server

Isaac Johnson, Sr. Staff Cloud Architect, Abbot

  • Skills vs. MCP servers
  • Skills:
    • Minimize context (fewer tokens)
    • Can sym link
    • Must be local
    • Detailed instructions
    • Can run code
  • MCP Servers:
    • Full context (more tokens)
    • Support secrets
    • Can use docker
    • Can be remote
    • Can control access
    • Can access private data
    • Can run over HTTP or STDIO

Making an App With AI

  • Use Figma or Stitch to create a DESIGN.md app
  • Use CI/CD
  • Use Harbor to scan for High CVEs
  • Chainguard Images - open source hardened images

Building an MCP server

  • Use FastMCP
  • MCP Inspector - useful for testing and browsing MCP server APIs
  • Use skills to easily interact with MCP server

Women in AI - Building for Social Good

Jena Zangs, Esse Komlanvi, and Shannon Seaver

  • Nuse: AI-driven financial access in the user's native language.
  • Women Build the Future: platform for women presenting at tech conferences.

Building Your Own Socially-Driven Project

  • Ideating with chatbots as always.
  • Dedicate 30m to every day and see if momentum is sustained.
  • Most expensive models don't always give the best results.

Panel Discussion

  • Chatbots lower the expertise barrier.
  • Low-resource communities' voices are still missing from AI built systems.
  • K12 children are being told they can't use AI, but they're told they'll be replaced by AI as well.
  • Most dangerous phrases in AI today: "We will fix it later", "AI will take your job", "AI can't be used for good."
  • Dealing with parent emails via AI is useful for separating emotionally from angry parent emails.
  • Notebook LLM is really useful for note taking.
  • How to avoid "offloading" when students are learning with AI?
    • Should we rethink what's important in school?
    • Better to have the teacher's introduce it and teach its flaws.
    • Writing with precision is really important, writing by hand is really important.

Note posted on Wednesday, May 27, 2026 7:17 PM CDT - link