#KEYMASTER: The Current State of Composites Signatures and Certificates

In this episode, host Sven Rajala, International PKI Man of Mystery, is joined by David Hook, VP of Software Engineering for Bouncy Castle, to unpack the latest progress and practical realities behind composite signatures, one key concept in the move toward post-quantum cryptography (PQC).

Composite signatures combine a post-quantum algorithm (ML-DSA) with a classical algorithm such as RSA-PSS, or ECDSA, creating a hybrid signature that maintains security even if one algorithm is compromised. This duality provides a hedge against uncertainty in the transition to PQC.

Watch video on YouTube

David explains that the current draft specification has matured significantly: the OID list has been streamlined, parameter mappings are well-aligned between classical and PQC schemes, and the standard is now in working group last call, expected to become an official RFC in early next year.

A key discussion point is incremental deployment. While it might seem that implementing composites requires full ML-DSA support from day one, David clarifies that organizations can roll out composite certificates in stages. Devices that currently support ECDSA, for instance, can begin by simply recognizing composite certificates and parsing the classical portion of the key. Over time, ML-DSA support can be added, making this a practical path for gradual PQC adoption.

Another important takeaway is the evolution of the standard itself. Initially, composite certificates could be configured as “OR” (either classical or PQC) or “AND” (both required). The final direction leans toward the “AND” approach, ensuring both signatures are validated, though the non-standardized flexibility of “OR” remains valuable for certain transitional use cases.

Composite signatures, therefore, offer a versatile bridge strategy: organizations can maintain classical cryptographic compatibility while preparing for PQC readiness. As David notes, several Keyfactor and Bouncy Castle users already have proof-of-concept deployments underway, demonstrating that real-world adoption is accelerating.

Key Takeaways

• Hybrid security: Combines classical and post-quantum algorithms (ML-DSA + RSA/ECDSA) to future-proof digital signatures.
• Incremental migration: Composite certificates can be deployed even before all devices fully support ML-DSA.
• Practical flexibility: While the standard expects users to support “AND”, both “AND” (dual validation) and “OR” (either algorithm) approaches are an option to ease deployment.
• Deployment-ready: Proof-of-concept projects are already live using Bouncy Castle’s composite support.
• Standard maturity: The composite draft is nearing final RFC status, signaling readiness for adoption in production environments.

Conclusion

Composite signatures represent one of the most pragmatic and technically elegant steps toward post-quantum readiness. They allow organizations to start their migration today, introducing PQC algorithms without disrupting existing infrastructure, and provide a long-term hedge against algorithmic risk.

As the RFC finalizes and libraries like Bouncy Castle and platforms like Keyfactor EJBCA and SignServer integrate support, composites are poised to become the cornerstone of secure, quantum-resilient PKI architectures.

Our Recommendation on Migration Strategies (Autumn 2025)

Our current best recommendation is to migrate to pure PQC wherever possible, provided that you can ensure sufficient crypto agility. In areas where this is not yet feasible, consider hybrid approaches to progress incrementally. In both cases, it is essential to prioritize crypto agility, the ability to adapt to new algorithms and standards. As advances in cryptanalysis and algorithm design continue, additional algorithm transitions can be expected in the future.

In most cases, migrating directly to pure PQC is the least complex path, as the broader ecosystem (including HSMs, OpenSSL, and other critical components) increasingly supports post-quantum algorithms, and key standards such as RFC 9881 and 9882 are now in place. Hybrid options should be reserved for specific scenarios, for example, where you control both client and server environments, and interoperability is not a current requirement. For most organizations, waiting for hybrid PKI solutions to mature poses a significant risk unless they already have deep cryptographic and development expertise in-house.

Learn more

• Read the IETF draft: Composite ML-DSA for use in X.509 Public Key Infrastructure