Rupert Marais stands at the forefront of the next great evolution in digital security as Google’s Chrome team and the IETF pioneer a new era of quantum-safe communication. With his deep background in endpoint security and network management, Rupert has been closely monitoring the development of the PLANTS working group and the transition toward Merkle Tree Certificates. As the industry prepares for the looming threat of quantum computing, our discussion explores the technical shifts required to maintain a fast, secure, and transparent web without the bloat of traditional cryptographic signatures.
Traditional digital signatures often grow too large for efficient data exchange when quantum-safe algorithms are applied. How do Merkle Tree Certificates mitigate these bandwidth challenges, and what technical hurdles arise when replacing individual signatures with a unified “Tree Head” that represents millions of certificates?
The primary issue we face is that post-quantum cryptographic keys and signatures are significantly bulkier than the RSA or ECC algorithms we use today, which threatens to choke network performance. Merkle Tree Certificates, or MTCs, solve this by moving away from the model where every single certificate carries its own massive signature chain. Instead, a Certificate Authority aggregates millions of certificates into a single tree structure and signs only the “Tree Head,” which acts as a consolidated cryptographic fingerprint. The browser then only needs a lightweight proof—a path of hashes—to verify that a specific site belongs to that trusted tree. The real technical hurdle lies in the massive synchronization required; log operators must handle these enormous data structures in near real-time to ensure that the “Tree Head” remains accurate and accessible without creating a single point of failure for millions of connections.
Streamlining the TLS handshake involves embedding transparency directly into the issuance process to bypass separate log checks. What are the operational trade-offs of using compact proofs instead of traditional certificate chains, and how might this shift impact latency for high-traffic web services?
By integrating transparency directly into the certificate through these compact proofs, we effectively eliminate the need for the browser to perform a secondary, external check against a Certificate Transparency log. This reduces the number of round trips required during the TLS handshake, which is a huge win for high-traffic services where every millisecond of latency can impact user experience. However, the trade-off is a shift in operational responsibility; Certificate Authorities must now be perfectly synced with the logging process at the moment of issuance. If the tree isn’t updated or the proof is generated incorrectly, the certificate becomes instantly invalid, leaving no room for the slight propagation delays we sometimes see in the current system. This requires a much more robust and “always-on” infrastructure for CAs than the industry has historically maintained.
Current feasibility studies involve pairing new certificate structures with legacy fail-safes during live traffic tests. As the industry moves toward a dedicated quantum-resistant root store by 2027, what milestones must log operators reach to ensure a stable transition for public infrastructure?
We are currently in a critical feasibility phase where we pair MTCs with traditional X.509 certificates as a fail-safe to ensure users don’t see “broken” connections while we refine the technology. Looking toward 2027, the first major milestone occurs in the first quarter of that year, when selected log operators must begin bootstrapping the public MTC deployment to prove the system works at scale. By the third quarter of 2027, we expect to see the launch of the Chrome Quantum-resistant Root Store, which will be a completely new trust framework dedicated to these certificates. Operators will need to demonstrate that they can maintain continuous, externally verifiable monitoring and handle the high-throughput demands of a world where quantum-safe is the default.
Modernizing certificate governance requires moving toward ACME-only workflows and streamlined revocation systems. How do these automated processes enhance the oversight of externally verifiable monitoring, and what practical steps should organizations take now to align with these evolving trust frameworks?
The shift toward ACME-only workflows means we are moving away from manual, error-prone certificate management and toward a fully automated, programmatic model. This automation allows for much tighter oversight because every issuance and renewal leaves a digital trail that can be audited in real-time, making it harder for rogue certificates to go unnoticed. For organizations, the most practical step today is to audit their internal Public Key Infrastructure and start transitioning away from manual certificate deployments. You should begin experimenting with automated renewal tools now, as the upcoming quantum-resistant frameworks will likely mandate these automated pathways to ensure that shortened certificate lifespans and rapid revocation can be handled without human intervention.
What is your forecast for quantum-resistant HTTPS?
I believe we will see a bifurcated web in the short term, where private PKIs adopt quantum-safe X.509 certificates later this year, while the public web waits for the more efficient Merkle Tree structures to mature. By 2027, the introduction of a dedicated quantum-resistant root store will mark a “point of no return,” where legacy encryption starts to feel like a liability rather than a standard. Eventually, the efficiency of MTCs will make them the preferred choice not just for security, but for performance, leading to a faster and more transparent internet that is fundamentally built to survive the quantum age. Organizations that fail to automate their certificate lifecycles now will likely find themselves struggling to keep up with the rapid update cycles required by this new, more agile trust model.
