And that’s a wrap!
A summary of the Transparency.dev Summit 2025
It’s been a month since the Transparency.dev Summit 2025, and what an event it was! In late October, over the course of two and a half days, implementers, operators, and clients of real world transparency systems came together in a beautiful event space in Gothenburg, Sweden, to meet face to face, share best practices, and learn about the latest developments in the transparency community. Laughs were had, owls were drawn, free t-shirts were provided, and a life-size 2D cardboard cutout of an attendee unable to make it in person was present. What more could one want from such a gathering?
Keynote: The tlog Ecosystem
The event kicked off with an insightful keynote delivered by Filippo Valsorda, outlining the current state of affairs in transparency log ecosystems. Filippo gave a thorough overview of everything the transparency community has now, covering specifications, code, shared infrastructure and existing transparency applications, before looking to the future and discussing what comes next. With his keynote, Filippo gave context to the work being done by everyone in the room, tied together much of the content that followed in the next couple of days, and explained how it all fits into the bigger tlog ecosystem picture.
Certificate Transparency pushing forward
Following the keynote, the first day of the summit focussed primarily on Certificate Transparency (CT). A wonderfully balanced set of talks included points of view from every type of actor that participates in the CT ecosystem, giving the audience a fully fleshed out picture of how CT functions today.
Log operators were represented by Philippe Boneff and Roger Ng discussing running TesseraCT - a static CT log implementation. Matthew McPherrin represented Let’s Encrypt as both a log operator and a Certificate Authority, talking about the challenges and specific insights that being both provides. Although not a CT log operator himself, Dennis Jackson provided a novel idea for how to reduce the load on log operators by serving the content of CT logs as static ct tiles over BitTorrent.
Next up, User Agents and CT enforcers included Mustafa Emre Acer presenting how Chrome decides which CT logs qualify to be in their log list, and Roger Ng discussing CT enforcement in Android 16.
Andrew Ayer, who has been keeping log operators honest for many years now, talked about patterns seen in the various CT log failures he has detected as a log monitor. Certificate monitoring was covered by Program Committee Chair Rasmus Dahlberg in his talk about filtering out the noise of regular legitimate certificate issuance notifications as certificate lifetimes decrease. Then in a fun twist on monitoring, Bhushan Lokhande talked about using CT log data for a different purpose - to inspect brand logos and trademarks. His talk demonstrated that CT logs expose previously unseen but potentially interesting datasets.
To complete the CT ecosystem, and after a last minute unexpected circumstance that meant that he was unable to attend the summit in person, Program Committee Chair Martin Hutchinson dialled in remotely to contribute his talk about Verifiable Indexes - the key piece still missing from the CT ecosystem. Once in place, the CT ecosystem will be what it was originally envisaged to be.
After talking to us about things going bad in the world of CT, Joe DeBlasio then encouraged us to look forwards by presenting Merkle Tree Certificates (MTCs) - an early internet draft coauthored by many of the big players in the existing CT community, to plan a redesign for how CT will function in a post-quantum future. Certificate transparency is the longest established and most stable transparency ecosystem there is, and as such, drastic design changes rarely happen. However, as we look forward to what will eventually become a post-quantum world, CT will need to adapt along with everything else.
Transparency applications left, right and centre
For me personally, the second and third days of the summit were extremely special. As a former participant in the CT ecosystem and community, I left the transparency community in 2022 when non-CT transparency applications were few and far between, and those that did exist were just beginning to feel their way through what shape a transparency ecosystem should take. Having returned to the community only a few months ago, hearing talks on such a breadth of transparency applications fully opened my eyes to how far the community and technology has come since then.
To begin, our host in Gothenburg, Fredrik Strömberg, talked about his work on hardware transparency for the Tilitis TKey and HSM, and gave a demo (everyone loves a demo!) Adit Sachde followed this to discuss how confidential computing can protect virtual machines in the cloud, and how this could benefit the all important witness network as it begins to scale, by opening up the option for witnesses to be run in the cloud.
In the Website Transparency portion of the day, Michael Rosenberg, Dennis Jackson and Giulio Berra discussed the existing issues with cryptography in web applications, and presented ideas for how to bring properties such as integrity, consistency and transparency to web-based experiences.
Our next topic was package management, with Mechiel Lukkien taking us through how gopherwatch monitors Go modules, Hayden Blauzvern discussing the software supply chain and transparency for package registries in general, and Holger Levsen summarising the state of reproducible builds, and inviting the community to collaborate on bringing transparency into associated projects.
After lunch on the second day of the summit, we had one of the more whimsical moments of the conference. A life-sized cardboard cutout of Martin Hutchinson (our Program Committee Chair who was unable to attend last minute) arrived, and, much to everyone’s delight, it was established that cardboard Martin would be joining us all for dinner that night.
After this brief comical interlude, Alexis Hancock discussed the very real impact transparency could have on accountability within Digital ID systems that are being created by governments all over the world.
This was followed by talks on Binary/Firmware Transparency, including an entertaining talk and demo by Andrea Barisani and Daniele Bianco on implementing transparency in UEFI boot managers, Tom Binder discussing binary transparency based on signed endorsements - something Google has tailored to their use case of managing the boundary between open-source and internal repositories at Google, Billy Lau bringing us up to speed on Android’s Firmware Binary Transparency, and an energetic talk from Tiziano Santoro on distributed Content Addressable Storage.
To complete the wider transparency topics set, on the final day of the summit Melissa Chase gave a wonderful overview of Key Transparency (KT), with Brendan McMillion following it up with why the KT protocol being standardised by the IETF helps remove the need for an independent and trustworthy third party to help operate the system, and Elena Pagnin presenting a novel idea for achieving split-view protection in centralised transparency logs.
My expertise on these topics is limited, so I have held back from going further in summarising the content of these talks for fear of misrepresenting them. However, I strongly encourage you to check out each and every talk on the transparency.dev youtube channel.
Building together
While all of the talk content at the summit was top notch, it was the moments in and around the talks that really captured the spirit of the community. People were discussing ideas, collaborations and future work during every single break, every social dinner, every possible moment available. They couldn’t get enough of it.
Over the three days, we held two slots for breakout sessions, during which attendees came together in groups to discuss whatever topics they felt would be most beneficial to discuss in person. Topics included witnessing, MTCs, CT, transparency for web applications, Tilitis hardware, KT, and reproducible builds. These turned out to be some of the most popular sessions of the whole event, with everyone grumbling when encouraged back to the main room to move on to the next session. In our community, people thrive when given the opportunity to work together.
In Filippo’s keynote, he emphasised that ‘the hard part is the part that you can’t build alone.’ He meant it in terms of software - for most systems you just build the thing and put it out there, but in transparency systems you have to have third parties involved for the system to work. But I think that with that quote he has also stumbled upon the foundation of what makes this community great. Everyone here understands and accepts that, for transparency to work, we can’t do it alone. And although the hard part may be the part that you can’t build alone, with an incredible community of brilliant individuals all pulling together, the hard part becomes a hell of a lot easier.
A huge thank you to the hosts of the Transparency.dev Summit 2025, Glasklar Teknik, and our sponsors, Google, Google Chrome, Chalmers University of Technology, the University of Gothenburg and Trail of Bits, without whom the summit could not have happened.
