Abstract
Enterprises face an immediate need to protect long-lived data against harvest-now, decrypt-later threats while maintaining interoperability across layered systems. With NIST’s first post-quantum standards finalized (ML-KEM, ML-DSA, SLH-DSA) and TLS hybridization drafts defining concrete ECDHE + ML-KEM groups, adoption can begin at the TLS termination layer even before full ecosystem support for post-quantum signatures arrives (NIST, 2024; IETF, 2025). In this paper, we propose an enterprise-oriented transition framework and maturity model for hybrid TLS across email, internal API gateways, and object storage. We specify where to enforce, which hybrid groups to select, and how to prevent silent downgrade with policy pinning and negotiated-group telemetry. A controls map, risk register, and procurement/readiness checklist translate standards and drafts into auditable operational outcomes. The result is a governance-first blueprint that accelerates post-quantum readiness without requiring immediate, organization-wide cryptographic replacement.
Document Type
Paper
Disciplines
Computer and Systems Architecture | Digital Communications and Networking | Systems Science
DOI
10.25776/4k36-zz72
Upload File
wf_yes
Included in
Computer and Systems Architecture Commons, Digital Communications and Networking Commons, Systems Science Commons
A Transition Framework for Hybrid TLS in Enterprise-Level Systems
Enterprises face an immediate need to protect long-lived data against harvest-now, decrypt-later threats while maintaining interoperability across layered systems. With NIST’s first post-quantum standards finalized (ML-KEM, ML-DSA, SLH-DSA) and TLS hybridization drafts defining concrete ECDHE + ML-KEM groups, adoption can begin at the TLS termination layer even before full ecosystem support for post-quantum signatures arrives (NIST, 2024; IETF, 2025). In this paper, we propose an enterprise-oriented transition framework and maturity model for hybrid TLS across email, internal API gateways, and object storage. We specify where to enforce, which hybrid groups to select, and how to prevent silent downgrade with policy pinning and negotiated-group telemetry. A controls map, risk register, and procurement/readiness checklist translate standards and drafts into auditable operational outcomes. The result is a governance-first blueprint that accelerates post-quantum readiness without requiring immediate, organization-wide cryptographic replacement.