Overview
- Google has begun experimenting on live traffic with Cloudflare, with every MTC-backed connection still authenticated by a traditional X.509 certificate as a fallback.
- Under the MTC approach, a Certification Authority signs a single tree head for potentially millions of certificates, and browsers verify a compact inclusion proof that reduces TLS handshake data and makes issuance transparency intrinsic.
- Chrome says it will not add post-quantum X.509 certificates to its Root Store for now because larger keys and signatures would degrade performance and strain Certificate Transparency logs.
- The roadmap sets Phase 2 for Q1 2027 to invite qualifying CT log operators to bootstrap public MTCs, followed by Phase 3 in Q3 2027 to finalize requirements for a new Chrome Quantum-resistant Root Store and an MTCs-only root program.
- The initiative aligns with standardization in the IETF PLANTS working group and proposes governance updates such as ACME-only enrollment, streamlined revocation, and continuous external monitoring.