Merkle Tree Certificates and Enterprises

532 views
Skip to first unread message

Nalini Elkins

unread,
Jun 25, 2026, 9:39:08 AM (11 days ago) Jun 25
to pqc-forum

All,

I have started looking at the impact of Merkle Tree Certificates (MTC) on enterprise and private PKI deployments.

https://datatracker.ietf.org/doc/draft-ietf-plants-merkle-tree-certs/

This work was prompted by a discussion with a large enterprise. They pointed out that, for them, a certificate is much more than something used during a TLS handshake.

For example, imagine an employee authenticates to a corporate VPN using a client certificate. In some deployments, during authentication, the certificate is validated and the employee's identity is established. Many enterprise deployments then use certificate information—such as the Subject Distinguished Name (DN), Subject Alternative Name (SAN), Extended Key Usage (EKU), Certificate Policies, or enterprise-specific extensions—as inputs to authorization decisions, identity mapping, or audit logging. Years later, the organization may also need to retain enough information to reconstruct the authentication event for an audit, regulatory inquiry, or legal proceeding.

Another example is code signing. Organizations often archive signed software, the associated certificate, and validation information for many years. As enterprises migrate to post-quantum PKI and potentially to MTC, they will need guidance on what information should be preserved to maintain existing operational, audit, compliance, and evidentiary practices.

The enterprise's question was straightforward:

How should an enterprise continue to perform these functions in an MTC world?

As many of you know, one of the motivations for MTC is to reduce the impact of larger post-quantum certificates, particularly those using ML-DSA and related algorithms. Google and Cloudflare are actively evaluating MTC, and Cloudflare has described their work here:

https://blog.cloudflare.com/bootstrap-mtc/

DigiCert has also announced an MTC Playground for private PKI deployments.

I am trying to understand what guidance enterprises will need as they migrate to post-quantum PKI and, potentially, to MTC-based deployments.

Some of the questions I am exploring include:

  • Can an MTC relying party continue to access and process certificate information—such as Subject DN, SAN, EKU, Certificate Policies, Name Constraints, and enterprise-specific extensions—in the same way it does today?

  • If application, middleware, or validation library changes are required, what migration guidance should be provided?

  • What information should enterprises archive for long-term audit, compliance, forensic, and evidentiary purposes?

  • How should private PKIs deploy and operate MTC?

  • What enterprise deployment patterns or best practices should be documented?

My intent is to feed these deployment considerations into the IETF PLANTS Working Group. If appropriate, I may also write an Internet-Draft describing enterprise/private PKI deployment considerations.

https://datatracker.ietf.org/group/plants/about/

If you work with a large enterprise or operate a significant private PKI, I would appreciate the opportunity to interview you about how your organization uses certificates today—not just for TLS authentication, but also for identity, authorization, compliance, auditing, and operational purposes.

Examples of topics include:

  • How applications consume certificate information

  • Reliance on SANs, EKUs, Certificate Policies, Subject DNs, and custom extensions

  • Certificate retention and archival practices

  • Private PKI deployment models

  • Migration concerns for post-quantum PKI

  • Enterprise operational practices that should be preserved during migration

All responses will be treated anonymously unless you explicitly indicate otherwise.

If you are interested in participating, please contact me at:

nalini...@outsidethestacks.com

Thank you,

Nalini Elkins
Chief Technical Officer

Outside the Stacks, Inc.

John Mattsson

unread,
Jun 25, 2026, 11:41:53 AM (11 days ago) Jun 25
to pqc-...@list.nist.gov, nalini...@insidethestack.com
Nalini Elkins wrote:
>How should an enterprise continue to perform these functions in an MTC world?

An enterprise would not necessarily use MTC. If ML-DSA/SLH-DSA meets the performance requirements, using normal ML-DSA/SLH-DSA certs is likely preferable. MTC must offer a clear advantage that justifies its additional complexity; otherwise, I think existing ML-DSA/SLH-DSA-based PKI deployments remain the natural choice.

Cheers,
John Preuß Mattsson

Nalini Elkins

unread,
Jun 25, 2026, 11:48:51 AM (11 days ago) Jun 25
to pqc-forum, John Mattsson, nalini...@insidethestack.com
John,

>An enterprise would not necessarily use MTC. If ML-DSA/SLH-DSA meets the performance requirements, using normal ML-DSA/SLH-DSA certs is likely preferable. MTC must offer a clear >advantage that justifies its additional complexity; otherwise, I think existing ML-DSA/SLH-DSA-based PKI deployments remain the natural choice.

That is interesting.  Yes, it does make life simpler, in some ways, for enterprises.  I am doing some testing / benchmarking of ML-DSA / classical certs.   Let me see if I can get some numbers for enterprises on what testing with mldsa.digicert.com provides as far as performance, size, etc.   Enterprises often have many SANs, so their certs are big to start with!   We are also putting up the Digicert MTC playground to see how hard that will be for enterprises to do.  If you know of other playgrounds, test sites, that will be great to know.

Brent Kimberley

unread,
Jun 25, 2026, 12:51:32 PM (11 days ago) Jun 25
to John Mattsson, pqc-...@list.nist.gov, nalini...@insidethestack.com

Would SIS “MooN” ML-DSA signing improve determinism without compromising security strength?

 

From: 'John Mattsson' via pqc-forum <pqc-...@list.nist.gov>
Sent: June 25, 2026 11:42 AM
To: pqc-...@list.nist.gov; nalini...@insidethestack.com
Subject: [pqc-forum] Re: Merkle Tree Certificates and Enterprises

 

CAUTION: This email is from an external source. Verify sender before opening links and attachments.

 

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/AS4PR07MB88257153BBDFF37614E2C3AC89EC2%40AS4PR07MB8825.eurprd07.prod.outlook.com.

Nalini Elkins

unread,
Jun 26, 2026, 9:48:28 AM (10 days ago) Jun 26
to pqc-forum, Brent Kimberley, John Mattsson, nalini...@insidethestack.com
Is there any kind of public test point for this?  Or a github where this is implemented?   We can also compare this.

Antony Vennard

unread,
Jun 29, 2026, 5:19:26 AM (8 days ago) Jun 29
to Nalini Elkins, pqc-forum, John Mattsson
On Thu, 2026-06-25 at 08:48 -0700, Nalini Elkins wrote:
> John,
>
> > An enterprise would not necessarily use MTC. If ML-DSA/SLH-DSA
> > meets the performance requirements, using normal ML-DSA/SLH-DSA
> > certs is likely preferable. MTC must offer a clear >advantage that
> > justifies its additional complexity; otherwise, I think existing
> > ML-DSA/SLH-DSA-based PKI deployments remain the natural choice.
>
> That is interesting.  Yes, it does make life simpler, in some ways,
> for enterprises.  I am doing some testing / benchmarking of ML-DSA /
> classical certs.   Let me see if I can get some numbers for
> enterprises on what testing with mldsa.digicert.com provides as far
> as performance, size, etc.   Enterprises often have many SANs, so
> their certs are big to start with!   We are also putting up the
> Digicert MTC playground to see how hard that will be for enterprises
> to do.  If you know of other playgrounds, test sites, that will be
> great to know.

MTC specifically requires cosigners to validate CA operation when
issuing certificates. This inverts the model of certificate
transparency. There's nothing to prevent running cosigners in an
enterprise but whether that is something people do is another question.

For your performance metrics you may wish to look at pre-existing work
such as this excellent talk at the PKI Consortium:
https://pkic.org/events/2025/pqc-conference-austin-us/THU_BREAKOUT_1130_Panos-Kampanakis_How-much-will-ML-DSA-affect-Webpage-Metrics.pdf

The video is available as well I believe.

As you might expect, a significant variable is whether you are
requesting a TLS round-trip per resource, or multiplexing over a small
number of connections.

Kind regards,

Antony

Bas Westerbaan

unread,
Jun 29, 2026, 5:44:37 AM (8 days ago) Jun 29
to Antony Vennard, Nalini Elkins, pqc-forum, John Mattsson
MTC specifically requires cosigners to validate CA operation when
issuing certificates.

Not necessarily. You don't need it if you don't care about transparency. Even if you need it, it might be simpler in private PKIs.

Antony Vennard

unread,
Jun 29, 2026, 8:17:52 AM (7 days ago) Jun 29
to Bas Westerbaan, Nalini Elkins, pqc-forum, John Mattsson
On Mon, 2026-06-29 at 11:44 +0200, 'Bas Westerbaan' via pqc-forum
wrote:
Ah indeed, I misread. The CA could indeed "co"-sign itself and not
submit anywhere else if not required.

> --
> You received this message because you are subscribed to the Google
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to pqc-forum+...@list.nist.gov.
> To view this discussion visit
> https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMjbhoXzRu58uUzxiBA2fCrT%3DfpAsPyF5A3sL7Ljabd_8xVcfw%40mail.gmail.com
> .

Nalini Elkins

unread,
Jul 2, 2026, 9:49:36 AM (4 days ago) Jul 2
to pqc-forum, Antony Vennard, Nalini Elkins, pqc-forum, John Mattsson, Bas Westerbaan
Actually, I have been doing some measurements myself aimed specifically at large enterprises and to give concrete data on whether they should do MTC.  I will be presenting the below at the IEPG forum at IETF 126 (mid-July) in Vienna.   The abstract is below.  I will do a paper and post here & likely a draft for the PLANTS WG at the IETF.   This is all going to be much more complicated for enterprises than we think.  But, let's go one step at a time.

Abstract
Measuring Deployment Characteristics of Post-Quantum TLS Authentication Mechanisms

The transition to post-quantum cryptography introduces multiple deployment choices for TLS authentication, including traditional X.509 certificates using ML-DSA, Merkle Tree Certificates (MTC), and other emerging mechanisms. While the cryptographic properties of these approaches are relatively well understood, there is comparatively little operational evidence to help architects evaluate their practical deployment implications.

This presentation describes an active measurement methodology for evaluating post-quantum TLS deployments. Rather than focusing solely on cryptographic correctness, the methodology measures deployment characteristics observed during live TLS handshakes, including certificate chain sizes, handshake message sizes, protocol negotiation behavior, post-quantum algorithm negotiation, fallback behavior, Subject Alternative Name (SAN) usage, certificate identity characteristics, and the relationship between certificate identities and the organizations operating the observed network infrastructure, including whether the associated IP address space and Autonomous System (ASN) are enterprise-owned or provided by third parties.

Using measurements collected from operational services, including financial institutions, healthcare organizations, major Internet companies, and emerging post-quantum test deployments, we discuss how empirical deployment data can help organizations evaluate the operational tradeoffs among ML-DSA certificates, Merkle Tree Certificates, and related approaches. The presentation will propose a framework for collecting operational metrics that support migration planning and discuss how these measurements can contribute to the development of operational deployment guidance for adoption of post-quantum authentication technologies.

The goal is to encourage discussion of measurement methodologies and operational metrics that enable evidence-based decision making and provide practical deployment insights that complement ongoing IETF standardization efforts. 

John Gray

unread,
Jul 3, 2026, 12:35:05 AM (4 days ago) Jul 3
to Nalini Elkins, pqc-forum, Antony Vennard, John Mattsson, Bas Westerbaan
Hi Nalini,

This is interesting work. We should definitely talk at Vienna.  Since the last IETF a few of us have been looking at MTC deployment use-cases.  In particular, how components of MTC could be used to optimize private PKI use cases (for example the landmark certificates optimization, batch sizing and downgrade detection).   For example, how it could be possible to make use of the landmark certificate optimization without requiring a transparency log.   We are going to publish an initial draft in PLANTS in the next few days (there will still be lots of todos), but think there is enough to ask for adoption.     

We don't talk about measurement statistics, so it seems like your work is complimentary!

Cheers,

John Gray




Nalini Elkins

unread,
Jul 3, 2026, 7:26:32 AM (3 days ago) Jul 3
to pqc-forum, John Gray, pqc-forum, Antony Vennard, John Mattsson, Bas Westerbaan, Nalini Elkins
John,

Great!  I may do a draft at PLANTS also.   

I will contact you privately as our nonprofit (Industry Network Technology Council https://industrynetcouncil.org/) is thinking about standing up some public ML-DSA (SL-DSA?) test points to start getting enterprises more familiar with what such certificates will look like.  We would like to collaborate with you (and anyone else who is interested!).   The easier we make it for people to get familiar with the new technologies, the better!  I will post our potential architecture / topology in this group also for comments / enhancements.

Anyone who wants to help, please DM me.   nalini...@insidethestack.com

Nalini
Reply all
Reply to author
Forward
0 new messages