Hey all,
First — I know this library implements RSA and ECC. That's the point.
This isn't a "you have vulnerabilities" issue. It's more of a "where are
we on PQC support and can I help" issue.
Context: I've been building a scanner (QuantumMigrate) that audits
codebases for quantum-vulnerable crypto usage. I ran it on this repo
mostly out of curiosity, and it flagged 174 usages in src/ alone — which
is completely expected given what this library does. But it made me
wonder about the roadmap for NIST PQC support.
NIST finalized three standards in 2024:
- ML-KEM (FIPS 203) — key encapsulation, replaces RSA/DH/ECDH
- ML-DSA (FIPS 204) — signatures, replaces RSA/ECDSA/DSA
- SLH-DSA (FIPS 205) — hash-based signatures, conservative backup
The deadline pressure is real. "Harvest now, decrypt later" means
encrypted data being sent over TLS today is potentially being stockpiled.
The sensitive stuff — healthcare records, financial transactions, anything
with a long confidentiality window — is already at risk.
A few specific things I noticed in the source that seem worth discussing:
ssh.py (22 hits) — RSA and ECC key types for SSH. OpenSSH already
merged experimental support for ML-KEM-768 in OpenSSH 9.0. Is there a
plan to surface that here once it stabilises in the spec?
_oid.py (lines 128-148) — SHA1 and MD5 in the OID signature
algorithm map. I understand these exist for parsing legacy certs, but
is there appetite for a deprecation warning when they're used for
signing (not just parsing)?
ec.py / rsa.py — Core implementations obviously stay, but are there
plans to add ML-KEM and ML-DSA alongside them? OpenSSL 3.5 shipped
post-quantum support in March 2026. Since cryptography wraps OpenSSL,
I'd imagine this is closer than it looks.
I'm not expecting you to rip out RSA tomorrow. I'm genuinely asking
whether there's an existing tracking issue I missed, whether there's a
preferred way to contribute PQC primitives if OpenSSL exposes them, or
whether this is something the maintainers have already scoped.
Happy to help however makes sense — testing, docs, whatever.
Thanks for maintaining one of the most important libraries in the Python
ecosystem.
— scanned with https://github.com/maddykws/QuantumMigrate
Hey all,
First — I know this library implements RSA and ECC. That's the point.
This isn't a "you have vulnerabilities" issue. It's more of a "where are
we on PQC support and can I help" issue.
Context: I've been building a scanner (QuantumMigrate) that audits
codebases for quantum-vulnerable crypto usage. I ran it on this repo
mostly out of curiosity, and it flagged 174 usages in src/ alone — which
is completely expected given what this library does. But it made me
wonder about the roadmap for NIST PQC support.
NIST finalized three standards in 2024:
The deadline pressure is real. "Harvest now, decrypt later" means
encrypted data being sent over TLS today is potentially being stockpiled.
The sensitive stuff — healthcare records, financial transactions, anything
with a long confidentiality window — is already at risk.
A few specific things I noticed in the source that seem worth discussing:
ssh.py (22 hits) — RSA and ECC key types for SSH. OpenSSH already
merged experimental support for ML-KEM-768 in OpenSSH 9.0. Is there a
plan to surface that here once it stabilises in the spec?
_oid.py (lines 128-148) — SHA1 and MD5 in the OID signature
algorithm map. I understand these exist for parsing legacy certs, but
is there appetite for a deprecation warning when they're used for
signing (not just parsing)?
ec.py / rsa.py — Core implementations obviously stay, but are there
plans to add ML-KEM and ML-DSA alongside them? OpenSSL 3.5 shipped
post-quantum support in March 2026. Since cryptography wraps OpenSSL,
I'd imagine this is closer than it looks.
I'm not expecting you to rip out RSA tomorrow. I'm genuinely asking
whether there's an existing tracking issue I missed, whether there's a
preferred way to contribute PQC primitives if OpenSSL exposes them, or
whether this is something the maintainers have already scoped.
Happy to help however makes sense — testing, docs, whatever.
Thanks for maintaining one of the most important libraries in the Python
ecosystem.
— scanned with https://github.com/maddykws/QuantumMigrate