Signed Twice, Broken Never: The Rise of Hybrid PKI
Ganesh Mallaya
BSides Seattle 2026 · Day 1 · Track 1
Ganesh Mallaya, who works at Appux and contributes to the **CA/Browser Forum** and **IETF** standards bodies on post-quantum cryptography signature standards, delivered a dense technical briefing on why and how organizations should begin transitioning their PKI infrastructure to hybrid (composite) certificates that combine classical and post-quantum algorithms. The talk addresses the dual threat vectors of **Harvest Now, Decrypt Later** (targeting confidentiality) and the less-discussed **Trust Now, Forge Later** (targeting certificate integrity and authenticity).
AI review
A technically credible talk on hybrid PKI from someone directly involved in IETF and CA/Browser Forum standards work. The composite certificate concept is well-explained with real lab data from Cloudflare and Google showing 30% size reduction over full PQC. The Trust Now Forge Later framing adds a useful dimension beyond the usual Harvest Now Decrypt Later discussion. Loses points for being standards-process-heavy rather than demonstrating novel exploitation or breaking new cryptographic ground.