Google’s recent announcement outlining a roadmap toward quantum-resistant web authentication is one of the most consequential shifts in internet trust infrastructure we’ve seen in years.

This is not a simple cryptographic upgrade. Google is proposing a fundamental redesign of how public web certificates are structured, issued, and verified, moving from traditional X.509 certificate chains to a new model based on Merkle Tree Certificates (MTCs).

The message to the industry is clear: The post-quantum transition is underway, and the architecture of web PKI is about to evolve.

Why this announcement matters

Google is already live-testing MTCs with Cloudflare and has outlined a three-phase roadmap that includes a new quantum-resistant root store by late 2027. That combination of active testing and defined timelines makes this far more than exploratory research.

For the certificate authority (CA) ecosystem, this puts everyone on notice. The transition to quantum-resistant authentication will not be a drop-in algorithm swap. It requires rethinking how certificates are issued, validated, and distributed at internet scale.

At DigiCert, we’ve been investing in post-quantum readiness for years—from being the first CA to support PQC algorithms in private certificates through DigiCert ONE to actively participating in standards bodies like the IETF and CA/Browser Forum. We view Google’s announcement as validation of what we’ve consistently told customers: The time to build crypto-agility and begin piloting PQC is now.

The performance challenge of post-quantum cryptography

The core issue with post-quantum signatures is size.

NIST-standardized PQC algorithms such as ML-DSA produce signatures and public keys that are dramatically larger than today’s elliptic curve signatures. Where classical signatures may be around 64 bytes, post-quantum equivalents can reach approximately 2.5 kilobytes—nearly 40 times larger.

Certificates are exchanged during the TLS handshake, which is the latency-sensitive process that occurs before any website content loads. If certificate chains and Certificate Transparency (CT) proofs expand significantly, TLS handshakes could grow to 15–30 KB. That added weight risks slowing page load times, particularly on mobile or constrained networks.

If quantum-safe authentication noticeably degrades performance, adoption slows, and that delays the security benefits PQC is meant to provide.

How Merkle Tree Certificates aim to solve it

Merkle Tree Certificates are designed to address this performance dilemma.

Rather than attaching large post-quantum signatures to every certificate, a CA signs a single “Tree Head” representing many certificates organized in a Merkle tree. Browsers then receive compact proofs of inclusion, allowing them to verify a certificate without downloading a full chain of large cryptographic material.

The result: Authentication data transmitted during the TLS handshake can remain close to today’s size—while still achieving quantum resistance.

MTCs also build transparency directly into the issuance model. Because certificates must be included in a public tree, transparency becomes inherent, eliminating much of the additional overhead that CT currently adds to the handshake.

Standards for MTCs are still under development at the IETF, and operational questions remain, such as tree maintenance, browser update models, and ecosystem migration paths. DigiCert is actively engaged in these discussions through our participation in the IETF PLANTS working group.

The role of certificate transparency operators

Google’s rollout plan identifies CT log operators as early participants in bootstrapping the MTC ecosystem. That alignment makes sense: Both CT and MTCs rely on Merkle tree data structures and append-only, globally consistent log infrastructure.

DigiCert was the first CA to operate a CT log accepted by Chrome and has maintained CT infrastructure since 2013. Operating such infrastructure requires high availability, cryptographic consistency, and the ability to process millions of entries reliably.

This experience positions DigiCert at the center of the transition. We bring deep operational knowledge, active standards participation, and growing PQC capabilities across our platform.

How disruptive will the transition be?

The shift to quantum-resistant cryptography will be the most significant cryptographic migration in internet history. But it doesn’t have to be chaotic.

The goal is for users to notice nothing. The disruption occurs behind the scenes:

• CAs supporting new formats and algorithms

• Servers deploying updated configurations

• Browsers implementing new verification logic

• CT infrastructure evolving

And the impact extends beyond websites. IoT devices, embedded systems, code signing, document signing, email security, and other PKI-dependent systems all face transition considerations.

The greater risk isn’t disruption from change—it’s disruption from delay. Adversaries are already harvesting encrypted data today in anticipation of future quantum decryption capabilities.

What organizations should do now

Google’s announcement reinforces several critical points:

1. The PQC transition is happening now. Live testing is underway, timelines are defined, and the risk horizon is near. Gartner predicts that by 2029, conventional asymmetric cryptography like RSA and ECC will be unsafe for protecting sensitive data due to “harvest-now, decrypt-later" threats—even before a quantum break occurs.
2. Crypto-agility is essential. Organizations must be able to swap algorithms without rearchitecting their environments. DigiCert Trust Lifecycle Manager is built to provide the visibility and automation necessary to navigate transitions like this without disruption.
3. Open standards are key. Collaboration through the IETF PLANTS working group ensures the infrastructure works across browsers, cloud providers, and the broader CA community. DigiCert remains deeply committed to this multi-stakeholder approach.

For organizations that haven’t started preparing, now is the time to act by:

• Inventorying your cryptographic assets

• Piloting PQC certificates in test environments. DigiCert Labs offers free quantum-safe certificates for this purpose.

• Investing in centralized certificate lifecycle management to ensure agility as standards evolve

The quantum era is not a distant scenario. The foundational infrastructure changes are already underway. The question is no longer whether the web will transition to quantum-resistant authentication, but whether your organization will be ready when it does.