Skip to content
@rayketcham-lab

Ketcham Lab

PKI infrastructure, post-quantum cryptography tooling, and security engineering. Home of Quantum Nexum.
Ketcham Lab — post-quantum PKI, cryptographic tooling, security engineering



Home of Quantum Nexum — post-quantum trust infrastructure: a certificate-authority program, a software stack, and an engineering resource built for the real world.

Website Post-Quantum Signed commits required 2FA required


What We Do

We build certificate-authority infrastructure, cryptographic tooling, and security software — with an emphasis on real-world deployment and the migration to post-quantum cryptography. Background spans enterprise CA management and Federal PKI operations, including Federal Bridge cross-certification.

Our flagship is Quantum Nexum. Alongside it we ship open tooling for PKI operators and developers, and we're building HomePKI — a private certificate authority for the home network (currently in private beta).


🌌 Quantum Nexum — flagship

quantumnexum.com

Post-quantum cryptography is no longer theoretical — NIST finalized ML-DSA, ML-KEM, and SLH-DSA (FIPS 203/204/205) in 2024. Most organizations aren't ready. Quantum Nexum is post-quantum trust infrastructure built to close that gap — redesigned and relaunched June 2026.

Site live  PKI rebuild  ACME planned  Software alpha  ML-DSA

Platform status — what's live and what's in flight
  • PKI — a 22-CA ML-DSA hierarchy (ML-DSA-87 root; ML-DSA-65 policy + issuing across seven policy branches), currently being rebuilt. The landing at pki.quantumnexum.com is live; AIA, CRL, and OCSP publication return as the new chain lands. Design: /pki/.
  • ACME — an RFC 8555 directory at acme.quantumnexum.com, issuing post-quantum certs against the QN trust anchor. Landing live; the directory opens once the PKI rebuild lands. Details: /acme/.
  • Forge — hands-on PQ tooling, live and growing: keygen, signatures, algorithm compare, OpenSSL 3.5 recipes. At /forge/.
  • Vault — reference library, live and growing: FIPS 203/204/205, the IETF LAMPS PQ RFCs, OpenSSL 3.5 LTS, liboqs, and the CNSA 2.0 / NSM-10 timelines. At /vault/.

Platform software (alpha — early builds on request via quantumnexum.com):

  • Spork — post-quantum certificate authority written in Rust. ML-DSA + SLH-DSA alongside classical ECDSA/RSA/Ed25519; ACME, EST, and SCEP enrollment; OCSP and CRLs. Single static binary (Linux x86_64), RustCrypto primitives — no OpenSSL dependency. BSL 1.1. Public site: /spork/.
  • HomePKI — your own CA for the home network: one static Linux binary, post-quantum ready, no cloud, no account. Issue real TLS certificates for routers, NAS, cameras, and Home Assistant — signed by a CA that belongs to you alone. Private beta.

📡 Now — July 2026

  • tailnumber went public — a detached hash-signing service (dHSaaS) proof-of-concept with an open live demo: sign and verify in two curl commands
  • quantumnexum.com relaunched on the new dark engineering theme (June 2026)
  • QN PKI hierarchy rebuild underway — AIA/CRL/OCSP publication and the ACME directory follow it

📦 Public Showcase

Open code you can use today. Release, CI, and license badges read straight from each repository, so they never go stale.

🔐 PKI & Post-Quantum Crypto

Project What it does Status
tailnumber · live demo Detached Hash-Signing as a Service (dHSaaS) — send a hash, get back a portable signed proof. ML-DSA and hybrid classical+PQ signatures, HSM-held non-extractable keys, 50-year trust chain, offline verification with nothing but OpenSSL. Public overview + open live demo; source private. demo source
PKI-Client · docs Pure-Rust PKI CLI — inspect certificates, generate keys, probe TLS, validate FIPS 140-3 / NIST SP 800-57 / Federal Bridge compliance, and build CA hierarchies. No OpenSSL; one static musl binary. Opt-in post-quantum (ML-DSA, SLH-DSA) via --features pqc. release CI license
PKI-Signing-Service · docs Pure-Rust code-signing engine — Authenticode (PE/CAB/MSI), PKCS#7/CMS, RFC 3161 timestamping, PowerShell SIP, detached CMS. Runs as CLI, REST API, or a standalone TSA server; batch signing and PFX import. ML-DSA opt-in via --features pq-experimental. release CI license
parcl S/MIME encryption, signing, and certificate management add-in for Microsoft Outlook — LDAP directory lookup, AES-256, RFC 5751/7508 compliant. ⚠️ Under active rework — releases pulled; not for install yet. license status

🛡️ Security Tooling

Project What it does Status
shadowtrap Multi-protocol network honeypot — 21 emulated services (SSH, HTTP, MySQL, Redis, RDP, SMB, and more), honeytokens that fire on access, full payload capture with GeoIP and threat scoring, and a real-time HTTPS dashboard. CI license

🧰 Developer Tooling

Project What it does Status
qn-claude-web Self-hosted web UI for the Claude Code CLI — full xterm.js terminal, persistent tmux sessions, chat, and multi-agent orchestration from any browser or device on your network. Pure Python, no build step. release CI license
issue-reporter Drop a feedback button on any web page — reports become GitHub issues. One file, zero dependencies, no backend. Auto-captures console errors, recent API calls, and DOM context; strict CSP and SRI supply-chain pinning. release CodeQL license
project-forge Autonomous idea-generation engine — scores every idea on feasibility, fundability, and ambition across 19 categories, then human-gates one-click promotion to GitHub issues. FastAPI + SQLite; ~$2–3/mo on Haiku 4.5 (or free via the Claude Code CLI). CI license
gh-tracker Self-hosted GitHub analytics dashboard — archives traffic, referrers, people, issues, and self-hosted runner state to SQLite before GitHub's 14-day API wipe. FastAPI backend, React dashboard. release CI license

Licensing varies by project — each badge above reflects that repository's own LICENSE. Most tooling is Apache-2.0; shadowtrap is MIT; tailnumber is proprietary with the demo open for evaluation. A couple of early-stage repos aren't licensed for reuse yet (the badge will say so).


🔒 Security & Trust

We take security seriously across all repositories:

  • Signed commits required — every commit must carry a verified signature
  • 2FA enforced — for all organization members
  • Dependency scanning — Dependabot enabled across repositories
  • Code scanning — CodeQL and custom security workflows
  • Responsible disclosure — see our Security Policy

Found a vulnerability? Email root@quantumnexum.com or use GitHub's private vulnerability reporting.


🛠️ Tech Stack

Rust  Python  C#  JavaScript


🤝 Contributing

We build in the open where we can. Contributions and issues are welcome on any of our public repositories.


📫 Get In Touch

Webquantumnexum.com  |  Emailroot@quantumnexum.com


Building in the open.

Pinned Loading

  1. issue-reporter issue-reporter Public

    Drop a feedback button on any web page. Reports become GitHub issues. No backend required. No dependencies. One file.

    JavaScript

  2. PKI-Signing-Service PKI-Signing-Service Public

    Pure Rust code signing engine — Authenticode (PE/CAB/MSI), PKCS#7/CMS, RFC 3161 timestamping, PowerShell SIP, detached CMS. PFX import, multi-algorithm (RSA/ECDSA/Ed25519/ML-DSA), REST API.

    Rust

  3. PKI-Client PKI-Client Public

    Modern PKI operations tool — certificate inspection, key management, TLS probing, and enrollment protocols

    Rust 1

Repositories

Showing 10 of 10 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…