Is there already a roadmap regarding PQC? When will new CAs be available that support the NIST‑approved algorithms? Will hybrid certificates be supported?
We are engaged in the standardization process of PQC certificates, but don’t yet have firm timelines. I would expect us to have something available in the next few years at the latest.
4 Likes
To expand a little more:
One option is ML-DSA certificates, which are being specced out right now, though currently no root programs are accepting ML-DSA roots. We've done a bit of initial testing in pebble on this path.
A number of people in industry have some concerns about whether or not ML-DSA is practical for the web PKI, which is why we're also working on a second solution.
The path we're more interested in is Merkle Tree Certificates, currently in design at the PLANTS working group at IETF. Chrome has indicated that they anticipate this to be their preferred approach to PQC. We're following that very closely, and are likely to deploy MTCs if it looks like that design is going to be supported widely.
There is no "capture-now decrypt-later" type attacks relevant to authentication of TLS connections, so moving the WebPKI to PQC isn't an urgent threat, at least until we're closer to a cryptographically-relevant quantum computer. The most important work right now for the wider world is ensuring universal support for TLS 1.3 and PQC TLS key exchange, like X25519MLKEM768.
Of course, upgrade cycles take a long time, so even if we don't get a CRQC until 2040 or 2050, we want to make sure we're ready long before. Many government agencies are setting timelines on a 2030-2035 for adoption, which seems feasible.
10 Likes