OpenSSF Community Day North America 2026

In the context of secure systems, "transparency" is often a loaded term. We will propose a precise definition: the guarantee of discoverability and auditability. Transparency is the difference between a system that merely claims to be secure and a system that provides proof of its security claims.

This session offers a high-level primer on the principles of cryptographic transparency. We will discuss how to design transparent applications and explore the tooling available to create tamper-evident systems. We will examine how this pattern has already been used, from Certificate Transparency providing auditability for web PKI, Binary Transparency securing software delivery, and Key Transparency hardening messaging applications. We will demonstrate how transparency can be applied for emerging frontiers as well, such as AI model provenance and news authenticity.

Finally, we will discuss the ongoing specifications work to standardize transparency primitives and highlight opportunities to participate. Attendees will leave with a clear mental model for transparency by design, ready to build systems where accountability is a default feature, not an afterthought.

If you’ve ever set a branch protection rule or configured a security scan, you’ve already entered the world of GRC. You may not have realized it at the time, though, because GRC is often seen as a combination of spreadsheets and screenshots. Framing this through Gemara reveals a different reality: these security configurations don't exist in a vacuum; they work within a larger, interconnected architecture.

In this session, we’ll explore OpenSSF's Gemara Model to show you how your existing SDLC workflows can produce the compliance evidence you’ve been looking for. Join us to learn how to stop performing GRC as a chore, and start managing it as the engineering task it already is.

Implementing post quantum cryptography in supply chain security requires decisions beyond algorithm selection, with trade offs impacting performance and storage. This talk explores three approaches for adding PQC into Sigstore, the open standard for signing and verifying artifacts. The first maintains classical certificates, adding PQC signatures to transparency log inclusion proofs. The second implements hybrid X.509 certificates with dual classical/PQC signatures, modifying signing, verification and transparency components. The third leverages merkle tree certificates, embedding PQC commitments for efficient batch verification with minimal overhead. The talk presents prototypes, demonstrates post quantum signing and verification, reveals compromises in each approach and how assumptions in existing code created unexpected challenges. Attendees gain understanding of each method, providing a foundation for contributing to community discussions around post quantum adoption.