On Sat, 2025-10-18 at 06:20 +0000, Wang Guilin wrote: > The point is: Customers (and also professionals, like experts here) do not > exactly know when CRQC will be available. So, there is a long period up to > years for such uncertainty. For example, if this uncertain period is > 2030-2035, what customers should do in 2030 or 2031?
The fact is that with signature as used in JOSE there is generally no problem until a CRQC is available, and even then it needs to be fast for it to be a problem for authentication schemes. So there is no need to rush to deploy QC until the threat is imminent. My answer would be: wait a couple of years until you are confident your PQ algorithm of choice is solid and then migrate to that. Encryption is an entirely different thing, you need to move a lot earlier because of "harvest now, decrypt later" therefore hybrid KEMs are very important and should be deployed asap. Different threats require different answers and different timing. Simo. -- Simo Sorce Distinguished Engineer RHEL Crypto Team Red Hat, Inc _______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
