IETF Post-Quantum Cryptography Protocol Standards
- Issuer
- Internet Engineering Task Force(IETF)
- Effective date
- May 1, 2018
- Published date
- May 1, 2018
- Full text
- View full text →
Summary
The IETF has standardized how post-quantum cryptographic algorithms are deployed in internet protocols including TLS 1.3, X.509 certificates, CMS, and SSH. Published RFCs include RFC 8391 (XMSS), RFC 8554 (LMS/HSS), and RFC 9370 (ML-KEM in TLS 1.3). Active work in the LAMPS working group has produced X.509 certificate profile RFCs for ML-DSA and SLH-DSA. These protocol-level standards are essential for real-world PQC deployment across internet infrastructure.
Milestones (2)
| Deadline | Label | Type | Hard | Notes |
|---|---|---|---|---|
| Jun 1, 2025 | ML-KEM in TLS 1.3 RFC published | Full Compliance | RFC 9370 published June 2025, standardizing ML-KEM key exchange in TLS 1.3. | |
| Sep 1, 2025 | ML-DSA and SLH-DSA X.509 certificate RFCs published | Full Compliance | IETF LAMPS WG published X.509 certificate profile RFCs for ML-DSA and SLH-DSA in 2025. |
Algorithm references (5)
- XMSSSP 800-208Recommended
Replaces: RSA, ECDSA
Standardized in RFC 8391 (2018). Recommended for stateful hash-based signature use cases requiring long-term security guarantees.
- LMS / HSSSP 800-208Recommended
Replaces: RSA, ECDSA
Standardized in RFC 8554 (2019). Recommended for stateful hash-based signatures, particularly firmware and software signing.
- ML-KEMFIPS 203Recommended
Replaces: RSA, ECDH
Standardized for use in TLS 1.3 via RFC 9370 (2025). Defines ML-KEM key exchange for TLS connections.
- ML-DSAFIPS 204Recommended
Replaces: RSA, ECDSA
X.509 certificate profiles for ML-DSA standardized by IETF LAMPS WG in 2025.
- SLH-DSAFIPS 205Recommended
Replaces: RSA, ECDSA
X.509 certificate profiles for SLH-DSA standardized by IETF LAMPS WG in 2025.
PKI Impact
HIGH
PKI Impact
HIGHIETF standards define the exact wire format and X.509 certificate structure required for PQC interoperability across the internet. RFC 9370 (TLS), and LAMPS WG X.509 profile RFCs for ML-DSA and SLH-DSA are the normative references every PKI operator must implement to issue and validate PQC certificates in standard protocols.
Migration guidance
- Enable RFC 9370 ML-KEM key exchange in TLS 1.3 by updating TLS library dependencies — most production stacks (OpenSSL 3.5+, BoringSSL) now support it — before issuing PQC authentication certificates to ensure key exchange compatibility.
- Issue ML-DSA and SLH-DSA certificates using the OIDs and X.509 extensions defined in IETF LAMPS WG RFCs; non-standard OIDs will cause validation failures in compliant relying parties.
- For S/MIME and CMS, track IETF LAMPS WG progress on ML-DSA and ML-KEM CMS profiles to ensure certificate issuance aligns with finalized RFC formats before deployment.
- Validate RFC 8391 (XMSS) and RFC 8554 (LMS) implementation compliance in your firmware signing pipeline against the published test vectors before production use.
Trust chain considerations
- Root CAs must use IETF LAMPS WG-defined X.509 profiles for ML-DSA to issue interoperable PQC trust anchors; deviating from these profiles will cause chain validation failures in compliant relying parties.
- REVIEW: X.509 profile RFCs for ML-DSA and SLH-DSA were published in 2025 — verify your CA software supports the finalized OIDs and extension profiles before mass certificate issuance.
Changelog (4)
| Date | Type | Description |
|---|---|---|
| Jun 1, 2025 | Status | RFC 9370 published, standardizing ML-KEM for TLS 1.3 key exchange. IETF LAMPS WG simultaneously published X.509 certificate profile RFCs for ML-DSA and SLH-DSA, completing core protocol-layer PQC standardization. |
| Jul 1, 2024 | Amendment | IETF LAMPS and TLS working groups published updated drafts for ML-KEM in TLS 1.3 and ML-DSA/SLH-DSA in X.509 certificates following NIST FIPS 203/204/205 finalization. |
| Feb 1, 2019 | New | RFC 8554 published, standardizing LMS/HSS stateful hash-based signature scheme for internet use. |
| May 1, 2018 | New | RFC 8391 published, standardizing XMSS stateful hash-based signature scheme for internet use. |
Issuer
Internet Engineering Task ForceIETF
Type: STANDARDS BODY
Region: Global