Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Post-quantum cryptography in digital trust: are controls ready by 2030?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Post-quantum cryptography is becoming a compliance and trust-governance deadline because RSA and ECC-based certificates underpin signatures, timestamps, and digital identity that must remain valid for years, while the EU has already set a 2030 transition horizon and 2026 as an early execution milestone according to Vintegris. The real issue is not algorithm choice alone, but whether identity and trust programmes can manage long-lived cryptographic assets before harvested ciphertext becomes future plaintext.

NHIMG editorial — based on content published by Vintegris: Cómo Vintegris lidera la transición a la criptografía post-cuántica

Questions worth separating out

Q: How should organisations prepare digital trust services for post-quantum cryptography?

A: Start by inventorying certificates, timestamps, trust anchors, and archived artefacts that must survive the full migration horizon.

Q: Why does post-quantum migration matter for identity governance?

A: Because identity governance does not stop at user access.

Q: What breaks if organisations keep issuing certificates with legacy algorithms?

A: The main failure is not immediate compromise but delayed obsolescence.

Practitioner guidance

  • Map trust assets by lifetime Identify every certificate, signature, timestamping dependency, and archived document that must remain valid beyond 2030.
  • Build a crypto-agility inventory Document which systems can change algorithms, certificate chains, and validation rules without redesign.
  • Retire weak algorithms on a defined schedule Set deprecation dates for RSA and ECC use cases that cannot survive the post-quantum timeline, then track exceptions explicitly.

What's in the full article

Vintegris's full article covers the operational detail this post intentionally leaves for the source:

  • The staged migration plan already submitted to the supervisor, including the operational sequence behind the 2026 and 2030 milestones.
  • The new certification hierarchy based on elliptic curve infrastructure and how it is being used as a bridge toward hybrid schemes.
  • The retirement schedule for weak algorithms and the practical timing behind deprecating legacy certificate issuance.
  • The evaluation criteria for PQC-native services and suppliers before full adoption is expected to be complete.

👉 Read Vintegris's analysis of the post-quantum cryptography transition →

Post-quantum cryptography in digital trust: are controls ready by 2030?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Crypto-agility is now a trust governance requirement, not a technical preference. The article’s core message is that digital trust services cannot wait for quantum timelines to become operationally real. Once certificates, signatures, and timestamps must survive for years, organisations need the ability to swap algorithms, reissue trust material, and retire legacy schemes without breaking assurance chains. Practitioners should treat crypto-agility as part of identity governance.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how slowly identity remediation still moves in practice.

A question worth separating out:

Q: Who is accountable for quantum-safe migration in trust-service environments?

A: Accountability sits with the organisation that owns the trust service, but the practical delivery depends on auditors, relying parties, vendors, and regulators. In regulated environments, the programme owner must prove that cryptographic retirement, reissuance, and interoperability planning are tracked as governed change, not ad hoc remediation.

👉 Read our full editorial: Post-quantum cryptography is becoming a trust-governance deadline



   
ReplyQuote
Share: