Kai Ole Hartwig — Blog
8 min read
By

Post-Quantum Security Is Not a Future Problem — RFC 9964, ML-DSA and What I Already Run in Production

22 May 2026. With RFC 9964, the IETF has defined a standardised framework for integrating ML-DSA — the new NIST Post-Quantum signature standard — into JOSE- and COSE-based systems. This directly affects JWTs, OAuth 2.0, OpenID Connect, and all machine identities built on these protocols. At the same time, Keycloak is beginning to look at PQ signature support. I am already running Post-Quantum hybrid key exchange via Caddy in production. Here is what that means in practice — and why Crypto Agility is the architectural decision that needs to be made today.

Halb geöffnete Betontür eines modernen Rechenzentrums — davor ein dunkles Slate-Plinth mit einem aufgerollten oxblood-Kabel und einem Rack-Modul mit Kraft-Paper-Etikett, im Hintergrund die Mosel-Weinberghänge.
AI-generated · gpt-image 2.0

TL;DR — the 90-second summary

Most organisations still file Post-Quantum cryptography under “interesting, but not now”. Understandable — the threat from quantum computers sounds like science fiction. The problem is that the standards, libraries, and platforms are being built right now.

RFC 9964 standardises ML-DSA for JOSE and COSE systems. That means JWTs, OAuth tokens, and OpenID Connect flows can now be migrated to Post-Quantum signatures through a standardised path. Keycloak — the most widely used open-source IAM platform — is actively watching this space.

Caddy, which I run as my reverse proxy and TLS terminator, already supports Post-Quantum hybrid key exchange in its production TLS stack. Compatible clients benefit from hybrid PQ key exchange today, on every connection.

The real question is not whether, but when and how fast. Anyone building platforms for the next five to ten years needs to embed Crypto Agility as an architectural principle — the ability to swap cryptographic algorithms in a controlled way, before an incident forces the issue.

This is not a future topic — the standards are being built right now

Mention Post-Quantum cryptography and you often get the same response: “Yes, that will matter one day. But quantum computers aren’t breaking encryption today.“ That is true. And it still misses the point.

The question is not whether a quantum computer will break RSA in real time tomorrow. The question is when the algorithms your platform runs on will be considered insufficient — and how much lead time you will have then.

What has happened over the past few years was not an academic exercise:

This is not a research agenda. It is the production roadmap for the next five years.

RFC 9964 — what this means for digital identities in practice

RFC 9964 may look like yet another IETF specification in a long line. But what it addresses is directly relevant to modern platform architecture.

Virtually every API layer, every identity system, and every service-to-service communication today relies on JOSE-based protocols:

These protocols use cryptographic signatures — so far based on RSA or ECDSA. RFC 9964 defines how ML-DSA is integrated as a Post-Quantum signature algorithm into this world: with standardised algorithm identifiers, key representations, and signature formats for JWS and JWK.

What this means: identity providers, API gateways, and every platform that issues or validates JOSE-based tokens now has a standardised migration path — without proprietary workarounds.

This is the moment Post-Quantum cryptography stops being theory.

Caddy — Post-Quantum TLS already running in my production stack

More concrete than RFC 9964 is what I already have in production.

I run Caddy as my reverse proxy and TLS terminator. Caddy supports Post-Quantum hybrid key exchange in the TLS handshake — specifically hybrid key exchange combining classical Elliptic-Curve Diffie-Hellman with ML-KEM.

What this means in practice:

This is not a lab experiment and not a pilot. It is my production default stack.

The advantage for me: I am building operational experience with PQ hybrid before anyone forces my hand. If in three years an identity provider requires PQ signatures, or an audit asks about PQ readiness, I have an answer based on production data — not a slide deck.

Why Keycloak makes this development interesting

Caddy handles TLS. RFC 9964 handles the signature standard for JOSE. The next escalation step comes when identity providers actually start issuing PQ signatures.

Keycloak is the central IAM platform for many mid-market stacks: Single Sign-On, OAuth 2.0, OpenID Connect, LDAP integration. When Keycloak starts supporting ML-DSA signatures in JWTs, the trust graph changes across every downstream service.

I am actively watching the ongoing work on Keycloak Post-Quantum signature support — not because I am planning a migration any time soon. But because the moment an identity provider starts issuing PQ tokens is the moment every downstream system needs to be able to validate them.

Anyone who hears about that for the first time when it happens will not have time for a calm architectural decision. Anyone who already knows it today has a structural advantage.

Crypto Agility — the real architectural challenge

Whether you are already running ML-DSA or ML-KEM is the wrong question. The right question is: How quickly could you, if you had to?

That is Crypto Agility — the ability to swap cryptographic algorithms in a controlled way, without operational disruption and without an architectural emergency.

What Crypto Agility requires:

Organisations that already have this in place will roll out PQ migrations like a planned upgrade. Everyone else will experience them as an emergency operation.

What this means for your platform in concrete terms

I do not recommend rushed migrations today. Anyone who hastily integrates a PQ algorithm into their platform without the foundations in place creates more attack surface than they remove.

What makes sense — and makes sense now:

Understand your cryptographic inventory. Where are certificates in use? Which systems issue or validate tokens? Which algorithms do your TLS connections, identity providers, and API gateways rely on? Anyone who cannot answer this has no basis for a migration — regardless of which algorithm they choose.

Prefer modern platform components. Caddy over older reverse proxies. Keycloak over proprietary legacy IAM systems. Automated certificate management over manual renewal. These decisions are sensible in their own right — and as a side effect they build the foundation for a PQ migration when it becomes necessary.

Establish Crypto Agility as an architectural principle. Cryptographic configuration in code, centralised key and certificate management, processes for controlled algorithm changes. Not because quantum computers are knocking on the door tomorrow — but because algorithm changes are a normal part of platform operations, and in a functioning DevSecOps structure they should never be an emergency.

Frequently asked questions about Post-Quantum Security and Crypto Agility

Conclusion

Post-Quantum Security is not a topic you can defer to “someday”. The standards are set. The first platform components are implementing them. The identity systems will follow.

What I do: where technologies are production-ready, I use them. Caddy runs with Post-Quantum hybrid key exchange. I am actively watching RFC 9964 and the Keycloak developments. And the architectural principles — Crypto Agility, centralised identity management, automated certificate management — are not Post-Quantum measures. They are good platform architecture that delivers PQ readiness as a side effect.

Good security architectures do not emerge when a migration becomes unavoidable. They emerge by understanding technological developments early, evaluating them honestly — and integrating them sensibly into modern platforms.

How crypto-agile is your platform today?

I assess where your infrastructure stands cryptographically — and what PQ readiness means concretely for your APIs, identity provider, and TLS stack.

Author of this post

[Translate to English:] Foto von Kai Ole Hartwig.

Kai Ole Hartwig

Freelance DevSecOps consultant · OnlyOle Consulting

Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.