← Week 4: Migration Planning

Day 26: Writing the Migration Roadmap

Phase 3 · August 2, 2026

← Week 4: Migration Planning

Agenda (2–3 hours)

  • No new reading — all material has been covered
  • Write (150 min): Draft the complete pqc-migration-roadmap.md
  • Review (30 min): Read it as if you were your tech lead seeing it for the first time

This is the most important writing day of Phase 3.

← Week 4: Migration Planning

Document Structure

# PQC Migration Roadmap: Amazon Leo Secure Comms Provisioning Service
Version: 0.1 (draft) | July 2026 | Author: [name]

## 1. Executive Summary (half page)

## 2. Threat Assessment
  2.1 Assets at Risk
  2.2 Cryptographic Inventory
  2.3 Quantum Threat Timeline
  2.4 HNDL Exposure Analysis

## 3. Algorithm Recommendations
  3.1 Key Exchange
  3.2 Digital Signatures
  3.3 Symmetric / Hash (no change required)
  3.4 Parameter Selection Rationale

## 4. Migration Architecture
  4.1 Phase A: Hybrid TLS Key Exchange (Now – 2027)
  4.2 Phase B: PQC Certificate Signing (2027 – 2029, pending HSMs)
  4.3 Phase C: Full PQC, Classical Deprecated (2030 – 2033)

## 5. Dependency Map
  5.1 AWS Service Dependencies
  5.2 Library/Tooling Dependencies
  5.3 HSM Readiness

## 6. Performance Impact
  6.1 TLS Handshake Overhead
  6.2 Certificate Size Analysis
  6.3 CA Throughput

## 7. Compliance Calendar
  7.1 CNSA 2.0 Requirements
  7.2 NSM-10 Federal Requirements
  7.3 Internal Milestone Dates

## 8. Open Questions
  (Things to validate with the team when you return)

## Appendix A: Benchmark Data
## Appendix B: Algorithm Reference Table
← Week 4: Migration Planning

Section 1: Executive Summary (Write This Last)

3–5 sentences that a non-cryptographer tech lead can understand:

The Amazon Leo provisioning service currently relies on elliptic-curve 
cryptography (ECDH, ECDSA) for all TLS key exchange and certificate operations. 
These algorithms are vulnerable to harvest-now-decrypt-later attacks by adversaries
collecting traffic today for decryption when quantum computers become available — 
likely within 10–15 years. 

This roadmap outlines a three-phase migration to post-quantum cryptography:
immediate deployment of hybrid TLS key exchange (Q4 2026), migration to ML-DSA 
certificate signing when HSM support is available (2027–2028), and full deprecation 
of classical cryptography by 2030 in line with NSA CNSA 2.0 requirements.
← Week 4: Migration Planning

Sections to Pull from Prior Days

Section From Days
Assets at Risk Day 1 challenge 1
Cryptographic Inventory Day 7 challenge 7
Algorithm Recommendations Day 5 challenge 5
Parameter Selection Day 9 challenge 9
Hybrid Strategy Day 15 challenge 15
Cert Transition Plan Day 19 challenge 19
Dependency Map Day 22 challenge 22
AWS Service Dependencies Day 24 challenge 24
Performance Impact Day 14 + 18 challenges 14, 18
Compliance Calendar Day 23 challenge 23
← Week 4: Migration Planning

Challenge Assignment

Complete pqc-migration-roadmap.md — all sections.

Quality bar: this should be good enough to send to a tech lead for review.
It represents 3 weeks of learning distilled into actionable guidance.

Specifically:

  • Be concrete: name specific algorithms, parameters, and dates
  • Be honest about uncertainty: distinguish what you know from what you're estimating
  • Be actionable: every section should have a "what to do" not just "what is true"
  • Be concise: aim for 3–5 pages, not 15
← Week 4: Migration Planning

Resources

  • All your challenge answers from Days 1–25
  • Your pqc-demo benchmark output (Appendix A)
  • Days 5, 9, 22, 23, 24 for the most directly usable content