Episode 177 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Post-Quantum Cryptography: Transition in IAM

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Udara Pathum , Associate Technical Lead @WSO2

Channels

• Linkedin Event
• Youtube Video

Description

This episode will examine how post-quantum cryptography is reshaping identity and access management. We will begin with the practical risks driving urgency, including Harvest Now Decrypt Later and Trust Now Forge Later, and why long-lived identity data is especially exposed. From there, we will discuss crypto agility as a design requirement rather than a feature, and how hybrid post-quantum algorithms are being used to bridge the transition period. Finally, we will explore how core IAM protocols such as TLS, OAuth, OIDC, SAML, and X.509-based trust models are likely to evolve, what breaks first, and what architects should start preparing for today.

Homework

1. https://csrc.nist.gov/projects/post-quantum-cryptography
2. Medium Article Trust Now, Forge Later: The Real Nightmare of Digital Trust
3. IBM Blog Crypto Agility
4. CloudFlare SSL blog
5. Hybrid Confusion, Composite Promise: Reflections from the PKI Consortium’s 2025 PQC Conference

Takeaways

• ⚡ Signing--not encryption--is the biggest risk posed by post-quantum cryptographic attacks. Any trust models based on signatures -- like electronically signed documents or hardware authenticity -- will be useless. Fraudulent artifacts will be impossible to distinguish from legitimate ones.

• ⚡ Crypto agility is the real architectural aspiration. The goal is not merely swapping RSA for a new algorithm once, but designing systems so cryptography, providers, keys, and rotation policies can evolve without rewriting business logic.

• ⚡ Legacy IAM protocols and deployments will be the hardest part of the migration. Older applications that use Kerberos, SAML, WS-Trust etc. will live on even if they never support PQC--long-lived enterprise integrations rarely disappear as Alex Weinert observed in Episode 176.

• ⚡ The software industry is underprepared if the apocolyptic PQC date is really in 2030. NIST is pushing migration planning, but most organizations still do not have a clear inventory of where vulnerable cryptography lives.

• ⚡ New software should produce a cryptographic bill of materials or "CBOM", to document cryptographic signing and encryption usage.

Livestream Audio Archive

here