Identity, OpenID Connect, OAuth 2.0, SSO, Authorization, Authentication, Technical Standards. Node.js core collaborator and TSC member.
Joined March 2019
- Tweets 488
- Following 129
- Followers 684
- Likes 84
40 Photos and videos
Pinned Tweet
8 May 2021
Software's conformance to standards and its certification is not the pinnacle to shoot for. It is the absolute lowest bar.
1
3
17
Apr 3
Did you move off of Node.js v20.x yet? There are only a couple weeks util its EOL. Save yourself the headache of scrambling to upgrade next year and jump straight to v24.x LTS
1
1
3
187
Apr 3
v24.x has a host of improvements I contributed that are not present on v22.x:
- Post-Quantum Digital Signatures and Key Agreement/Encapsulation in node:crypto and Web Cryptography
- (backport ready and pending) raw private/public/seed key gen and import formats
1
100
⚠️ Update: The Node.js project's security bug bounty program is being paused.
Reporting remains unchanged, and so does our commitment to security.
More details here: nodejs.org/en/blog/announcem…
14
65
596
201,943
Apr 1
Introducing CWS, CSS Web Signatures. A security token scheme that runs entirely in the browser's style engine. No JavaScript. No WebAssembly. No server-side computation.
Spec interactive demo: panva.github.io/CS24
1
1
220
Apr 1
CS24 provides exactly 0 bits of security. The key is displayed on screen, believed to be the least secure key storage mechanism ever devised. The 24-bit key space is exhaustible in milliseconds, though "somewhat longer using CSS."
1
126
Apr 1
The payload supports 3 ASCII characters. Messages like "Hi!", "lol", and "why" are covered. Longer messages are left as future work that SHOULD NOT be undertaken.
panva.github.io/CS24/rfc-cs2…
127
Mar 13
67
Feb 4
When it comes to JWTs issued for "yourself" the JWE format is far superior to JWS. Just let go of the HMAC JWS algorithms and use JWE direct encryption instead.
You get confidentiality and it forces use of correct-length keys.
await new jose.EncryptJWT > await new jose.SignJWT
3
262
23 Nov 2025
Time to catch up with wicg.github.io/webcrypto-mod… @bunjavascript @deno_land @Cloudflare
WPTs are available. Browsers started going through their implementations.
These algorithms power HPKE implementations (github.com/panva/hpke)
2
254
21 Nov 2025
HPKE vector validation in *your* browser (and the implementation project's github actions pipeline)
panva.github.io/hpke/
1
174
17 Nov 2025
Let's get some ⭐⭐⭐ going 🙏
github.com/panva/hpke
Hybrid Public Key Encryption (HPKE) for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes.
Fully tree-shakeable. Fully typed. Extensible.
10 Nov 2025
I've been hammering on a new, 0 dependency, runtime-native-only crypto, module that runs everywhere*. Hard to Predict, Keeps everything Encrypted.
2
4
790
12 Nov 2025
my new project's build script, tsc is then only used to emit declarations and a source map, the published files are index.(js, ts, d.ts(.map))
1
152
10 Nov 2025
I've been hammering on a new, 0 dependency, runtime-native-only crypto, module that runs everywhere*. Hard to Predict, Keeps everything Encrypted.
1
8
1,019
11 Nov 2025
Only two more Hybrid PQ/T instances to go. Fully tree-shakeable. Fully typed. All crypto through WebCryptoAPI. All official vectors passing.
ALT sneak peek
2
128
28 Sep 2025
3 private vulnerability disclosures this week. All AI assisted slop that at first glance seems plausable but when challenged quotes non-existent language from RFCs. Time being wasted. Disclosures invalid.
2
1
17
2,966
28 Sep 2025
Now i get private vulnerability disclosures about CVEs that should've never been assigned, that I rejected, and that are invalid for which i can provide proof.
1
3
256