← Week 3: Integration and Application

Day 19: SPIFFE + PQC — Short-Lived SVIDs and the Migration Roadmap

Phase 4 · August 23, 2026

← Week 3: Integration and Application

Agenda (2–3 hours)

  • Read (30 min): Re-read Phase 3's PQC migration roadmap with SPIFFE context active
  • Study (60 min): Where SPIFFE and PQC intersect; where they diverge
  • Write (60 min): Add a SPIFFE section to your PQC migration roadmap
← Week 3: Integration and Application

Why These Two Phases Connect

Phase 3 asked: "How do we migrate to PQC cryptography?"
Phase 4 asks: "How do we automate credential lifecycle?"

They intersect at the CA:

Classical PKI (Phase 3)        SPIFFE/SPIRE (Phase 4)
  CA signs long-lived certs      CA signs short-lived SVIDs
  Rotation: manual/ACME          Rotation: automatic (SPIRE)
  Identity: machine/service      Identity: workload
  Algorithm: ECDSA P-256         Algorithm: ECDSA P-256 (today)
                                           ML-DSA-65 (when SPIRE supports it)

Short-lived SVID + automatic rotation = smaller HNDL window.
A 1-hour SVID reduces the HNDL exposure 13,000× vs. a 13-month static cert.

← Week 3: Integration and Application

SVID Validity and HNDL Risk

Recall from Phase 3:

  • HNDL: adversaries harvest encrypted traffic now to decrypt later
  • The exposure window = time during which the harvested data can be decrypted
  • For a TLS session: the window closes when the session keys are rotated
  • For a cert: the window is the cert validity period (an attacker with the cert can impersonate the service)
Cert type Validity HNDL exposure window
ACM TLS cert 13 months Up to 13 months
ACME cert (Let's Encrypt) 90 days 90 days
SPIRE SVID (default) 1 hour 1 hour
SPIRE SVID (short-TTL) 5 min 5 min

SPIFFE doesn't change the key exchange algorithm (that's at the TLS layer),
but it dramatically shrinks the cert-based HNDL window.

← Week 3: Integration and Application

PQC + SPIRE: The Algorithm Gap

Today (2026), SPIRE's internal CA uses ECDSA P-256 to sign SVIDs.

For full CNSA 2.0 compliance, SPIRE needs ML-DSA-65 signing.
The migration path:

Phase A (now): SPIRE CA signs SVIDs with ECDSA P-256
               TLS key exchange: X25519 (classical)
               ↓  HNDL window reduced by short SVID TTL

Phase B (when rustls + aws-lc-rs support is stable, ~2027):
               SPIRE CA signs SVIDs with ML-DSA-65
               TLS key exchange: X25519MLKEM768 (hybrid)
               ↓  Quantum-resistant identity + key exchange

Phase C (~2030): Remove ECDSA fallback; ML-DSA-only SVIDs

SPIRE's CA key upgrade is the bottleneck — not the workloads.
When SPIRE's CA switches to ML-DSA, all SVIDs get PQC signing on next rotation.
No workload changes needed.

← Week 3: Integration and Application

SPIRE's UpstreamAuthority in the PQC Migration

If SPIRE uses UpstreamAuthority "aws_pca":

ACM PCA root CA (PQC when CloudHSM PQC is ready, ~2027)
└── ACM PCA intermediate (ML-DSA when ACM PCA ML-DSA support lands)
    └── SPIRE intermediate CA (signed by ACM PCA)
        └── Workload SVIDs (ML-DSA when SPIRE supports it)

The PQC migration cascade:

  1. CloudHSM PQC support → ACM PCA root key can be ML-DSA
  2. ACM PCA ML-DSA support → SPIRE intermediate cert can be ML-DSA
  3. SPIRE ml-dsa CA key support → leaf SVIDs can be ML-DSA
  4. Workloads auto-rotate → all SVIDs PQC within 1 TTL (~1 hour)

Step 4 is SPIFFE's biggest advantage over static certs:
the migration completes at scale within 1 hour, not over months of cert rotation.

← Week 3: Integration and Application

Trust Bundle PQC Migration

Trust bundles are JWK Sets. When the SPIRE CA key changes algorithm:

  • New trust bundle entries appear (ML-DSA keys)
  • Old ECDSA entries remain until all outstanding SVIDs signed by them expire
  • After 1 SVID TTL: all ECDSA-signed SVIDs are expired; ECDSA entries can be removed

This is CNSA 2.0 in practice: the transition period is measured in hours, not years,
because SPIRE manages the lifecycle automatically.

← Week 3: Integration and Application

Challenge Assignment

Update your pqc-migration-roadmap.md with a new section:

## §9 SPIFFE/SPIRE Integration

### 9.1 SVID Validity and HNDL Exposure
<table comparing cert validity × HNDL window for different approaches>

### 9.2 SPIRE + PQC Migration Path
<the Phase A/B/C table from this slide, filled in for your service>

### 9.3 Migration Automation Advantage
<one paragraph: why short-lived SVIDs make the PQC migration easier>

### 9.4 Dependencies
<what needs to happen at ACM PCA, SPIRE, and rustls before this is possible>

Also update §8 Open Questions with:

  • "Has SPIRE (or equivalent) been considered for our provisioning service?"
  • "What is the SVID TTL strategy if SPIFFE is adopted?"
  • "Does our CloudHSM plan include PQC key support for the SPIRE upstream CA?"
← Week 3: Integration and Application

Resources

  • Phase 3 roadmap: your pqc-migration-roadmap.md
  • SPIRE CA config reference: spiffe.io/docs/latest/deploying/spire_server (ca_ttl, default_svid_ttl)
  • CNSA 2.0: NSA media.defense.gov (Phase 3, Day 23 notes)
  • SPIRE GitHub issues: search "ML-DSA" or "post-quantum" for current PQC status