Post-Quantum Cryptographic Agility Profile for ACME

Post-Quantum Cryptographic Agility Profile for ACME Sanctum SecOps LLC

128 Dry Run Rd Pine City NY 14871 United States of America bvicente@sanctumsecops.com https://orcid.org/0009-0006-6395-5308

Security Automated Certificate Management Environment post-quantum cryptography PQC ACME agility profile PQC readiness hybrid certificates tenant isolation This document defines an Automated Certificate Management Environment (ACME) [RFC8555] profile extension that enables ACME servers and clients to express per-account and per-order post-quantum cryptographic (PQC) posture. The extension introduces a pqcAgility metadata object in the ACME directory, an optional pqcAgility member in order objects, and a server-side adequacy scoring mechanism that determines whether a given order satisfies an account's declared PQC readiness threshold. The profile is designed for both public and private ACME deployments and does not modify the core ACME state machine: it adds discoverable capability metadata and per-order policy directives that servers MAY enforce. Multi-tenant ACME servers MUST implement tenant-isolation controls that prevent cross-account PQC posture leakage. This document is distinguished from draft-giron-acme-pqcnegotiation [I-D.giron-acme-pqcnegotiation], which defines algorithm negotiation at the ACME protocol level. This profile operates above the negotiation layer: it defines per-account posture scoring, adequacy thresholds, hybrid policy bits, rotation epoch anchoring, and tenant-isolation requirements that apply regardless of which negotiation mechanism is used. Source for this draft is maintained at https://github.com/Sanc-Admin/acme-pqc-agility-profile. A citable archival version is published at Zenodo upon each tagged release. Author ORCID: https://orcid.org/0009-0006-6395-5308. Discussion of this document should occur on the ACME working group mailing list (acme@ietf.org). The author has filed United States patent applications covering subject matter relevant to this document, including U.S. Provisional Patent Application No. 64/080,137 (filed 2026-06-01) and U.S. Patent Application No. 19/698,870 (filed 2026-06-05). By posting this Internet-Draft, the author submits to the IETF Trust the rights described in Section 5 of BCP 78 and BCP 79. Patent licensing terms are not yet known. Implementers and reviewers should consult the IETF Datatracker IPR disclosure page for this document for current disclosure status. The Sanctum SecOps Private Enterprise Number (PEN) root used for any OID allocations referenced in companion documents is 1.3.6.1.4.1.65953. The scope of the pending patent applications includes, but is not limited to, the per-account PQC posture scoring, adequacy threshold gating, tenant-isolation orchestration, and rotation epoch anchoring mechanisms described in this document. This Internet-Draft itself does not grant any patent license. Implementation parameters that would extend beyond the disclosed interface (including but not limited to scoring weights, rotation triggers, tenant carve-out parameters, and adequacy thresholds) are intentionally out of scope and are not disclosed in this Internet-Draft.

Introduction ACME [RFC8555] is the dominant protocol for automated certificate issuance. As certificate deployments migrate to post-quantum cryptography (PQC) — driven by NIST FIPS 203 [FIPS203], FIPS 204 [FIPS204], and FIPS 205 [FIPS205] — ACME implementations require a uniform mechanism to express per-account PQC posture and enforce per-order PQC policy. This document defines that mechanism. It is intentionally scoped to the policy and posture layer, above the algorithm negotiation layer addressed by draft-giron-acme-pqcnegotiation [I-D.giron-acme-pqcnegotiation]. The two documents are complementary: algorithm negotiation determines which PQC algorithms a server supports; this profile determines whether a given order satisfies an account's declared PQC readiness requirements and how multi-tenant isolation is maintained.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.

PQC Agility Profile: The set of pqcAgility metadata, per-account posture fields, and per-order policy directives defined in this document.
Adequacy Score: A server-computed numeric measure of how well a given order's algorithm set satisfies an account's declared PQC readiness threshold. Scoring weights are deployment-specific and not disclosed in this document.
Hybrid Required: A per-order policy bit indicating that the issued certificate MUST include both a classical and a PQC algorithm (composite or dual-key).
Rotation Epoch ID: An opaque server-issued identifier anchoring a certificate issuance to a specific key-rotation window, enabling coordinated enterprise-wide migration.

ACME Directory Metadata An ACME server supporting this profile MUST include a pqcAgility object in its directory metadata response [RFC8555] Section 7.1.1. The object has the following fields:

supportedPQCAlgorithms: Array of OID strings identifying PQC algorithms the server supports for certificate issuance.
hybridModes: Array of strings identifying supported hybrid algorithm combinations (e.g., "ML-DSA-65+ECDSA-P256").
compositeChainPolicies: Array of identifiers for supported composite chain policies.
pqcAdequacyThresholdDefault: The default adequacy score threshold below which orders are rejected. MAY be overridden per account.

Order Object Extensions An ACME client MAY include a pqcAgility member in an order object submitted via POST to the newOrder endpoint [RFC8555] Section 7.4. The member carries the following fields:

pqcAlgorithmPreferences: Ordered array of OID strings expressing the client's algorithm preference. The server MUST honor the preferences to the extent compatible with its policy.
hybridRequired: Boolean. When true, the server MUST issue a hybrid certificate (composite or dual-key). The server MUST reject the order with a pqcPolicyViolation error if hybrid issuance is not possible.
rotationEpochId: Opaque string. When provided, the server associates this order with the specified rotation epoch. Servers that do not support epoch anchoring MAY ignore this field.
compositeChainPolicy: Identifier string selecting a specific composite chain policy from the server's directory metadata.

The server MUST honor or reject the pqcAgility directive based on its configured policy. A rejection MUST return an ACME error of type "urn:ietf:params:acme:error:pqcPolicyViolation".

PQC Adequacy Scoring Servers implementing this profile MAY compute a per-order adequacy score based on the requested algorithm set, hybrid posture, and the account's declared readiness threshold. The scoring algorithm is deployment-specific and is not specified in this document; concrete scoring parameters are intentionally out of scope to preserve implementation flexibility and to avoid constraining patent-pending orchestration mechanisms. Servers MUST NOT expose raw adequacy scores to clients in a way that reveals other accounts' posture information.

Tenant Isolation Multi-tenant ACME servers MUST ensure that pqcAgility directives from one account do not influence issuance decisions for other accounts. Specifically:

Per-account pqcAgility configuration MUST be stored and evaluated in an account-scoped data structure.
Adequacy scores and readiness thresholds MUST NOT be shared across account boundaries.
Rotation epoch IDs MUST be validated against the requesting account's authorized epoch set.

Concrete tenant-isolation implementation parameters are deployment-specific and are not disclosed in this document.

Related Work draft-giron-acme-pqcnegotiation [I-D.giron-acme-pqcnegotiation] defines algorithm negotiation at the ACME protocol level: it introduces PQC algorithm fields in account and order objects to allow clients and servers to negotiate which PQC algorithms are used. This document is complementary: it operates above the negotiation layer and defines per-account posture scoring, hybrid policy enforcement, rotation epoch anchoring, and tenant-isolation requirements. An ACME server MAY implement both documents simultaneously; the negotiation mechanism of draft-giron-acme-pqcnegotiation determines algorithm selection, while this profile determines whether the resulting algorithm set satisfies the account's PQC readiness threshold. NIST FIPS 203 [FIPS203], FIPS 204 [FIPS204], and FIPS 205 [FIPS205] define the ML-KEM, ML-DSA, and SLH-DSA post-quantum algorithms, respectively. Algorithm OIDs referenced in this profile correspond to these standards. draft-ietf-lamps-pq-composite-sigs [I-D.ietf-lamps-pq-composite-sigs] defines composite signature algorithms combining a PQC algorithm with a classical algorithm. The composite chain policies referenced in this document support such algorithms.

Security Considerations PQC posture metadata is security-sensitive. ACME servers SHOULD treat per-account pqcAgility configuration with the same access controls as account key material. Servers MUST NOT expose aggregated tenant PQC posture information through any unauthenticated endpoint. Clients SHOULD validate hybrid certificate chains end-to-end, verifying both the classical and PQC signature paths independently. Harvest-now-decrypt-later (HNDL) attacks motivate the urgency of hybrid deployment. The hybridRequired field provides a mechanism for accounts that require protection against HNDL during the migration period. Rotation epoch IDs SHOULD be cryptographically bound to the issuing server's current state to prevent replay of stale epoch identifiers.

IANA Considerations IANA is requested to register the following ACME error type:

Type: "urn:ietf:params:acme:error:pqcPolicyViolation"
Description: The order was rejected because it does not satisfy the account's PQC agility profile policy.
Reference: This document.

IANA is also requested to create an "ACME PQC Agility" registry for composite chain policy identifiers, with a registration policy of Specification Required.

References Normative References Key words for use in RFCs to Indicate Requirement Levels Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words Automatic Certificate Management Environment (ACME) Informative References Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) National Institute of Standards and Technology Module-Lattice-Based Digital Signature Standard (ML-DSA) National Institute of Standards and Technology Stateless Hash-Based Digital Signature Standard (SLH-DSA) National Institute of Standards and Technology Algorithm Negotiation in ACME for Post-Quantum Cryptography Composite ML-DSA for use in Internet PKI

Changelog

-01 (2026-06-23)

Added Related Work section explicitly differentiating this document from draft-giron-acme-pqcnegotiation-03. The giron draft addresses algorithm negotiation at the ACME protocol level; this profile addresses posture scoring, adequacy thresholds, hybrid policy enforcement, rotation epoch anchoring, and tenant isolation.
Added giron draft to informative references with proper citation.
Expanded abstract to include differentiation statement.
Added FIPS 203/204/205 normative references.
Added composite-sigs informative reference.
Expanded Tenant Isolation section with concrete MUST requirements.
Added adequacy scoring section clarifying that scoring weights are deployment-specific (patent-pending).
Added HNDL threat context to Security Considerations.
Updated postal address to Pine City NY 14871.
Bumped docName to -01.

-00 (2026-06-08)

Initial submission.