Notifications
Clear all
Topic starter
24/06/2026 6:53 pm
TL;DR: NIST has advanced another round of review for post-quantum digital signature algorithms, reinforcing that PQC migration is an operational problem as much as a cryptographic one, according to DigiCert. Enterprises will need crypto-agility, not just algorithm selection, to manage hybrid environments, certificate lifecycles, and changing standards over time.
NHIMG editorial — based on content published by DigiCert: NIST advances post-quantum signature algorithms
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams prepare certificate estates for post-quantum migration?
A: Start with inventory, dependency mapping, and lifecycle automation.
Q: When does crypto-agility matter more than selecting a specific PQC algorithm?
A: Crypto-agility matters most when standards, vendor support, and deployment maturity will change over time.
Q: What breaks when certificate lifecycle management is still manual during PQC migration?
A: Manual lifecycle management breaks scale, consistency, and response speed.
Practitioner guidance
- Build a full cryptographic inventory Map certificates, trust anchors, protocols, and systems that depend on them before planning any PQC change.
- Automate certificate lifecycle controls Move issuance, renewal, revocation, and policy enforcement into central workflows so crypto changes do not depend on manual coordination.
- Classify hybrid dependencies by migration risk Rank applications and services by how difficult they will be to move from classical to post-quantum trust.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The NIST-aligned explanation of how post-quantum signature evaluation is progressing across multiple candidate families.
- The practical certificate lifecycle implications of running classical and post-quantum trust in parallel.
- The implementation framing for crypto-agility across applications, certificates, devices, and authentication systems.
- The article's own view on why ML-DSA is expected to be the primary enterprise signature algorithm.
👉 Read DigiCert's analysis of NIST’s post-quantum signature evaluation →
Post-quantum crypto readiness: are your certificate controls flexible enough?
Explore further
25/06/2026 3:54 am
Crypto-agility is the real control objective, not algorithm selection. The article’s central point is that PQC migration fails if organisations treat it as a one-time cryptographic swap. Standards will keep moving, products will update at different speeds, and trust paths will remain live across long-lived machine identities. The practical conclusion is that certificate and protocol adaptability is now the governing capability, not an implementation detail.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How do machine identities change the risk profile of post-quantum transition?
A: Machine identities multiply the number of trust relationships that must remain valid while cryptographic standards evolve. That turns PQC from a narrow cryptography project into a broad identity governance problem. Teams must account for service accounts, devices, APIs, and certificates together, not as separate workstreams.
👉 Read our full editorial: Post-quantum cryptography readiness depends on crypto-agility
