Technical
Hybrid TLS proof: what the handshake appendix means
The Qtangl demo includes hybrid ML-KEM handshake traces — showing classical and post-quantum key exchange in a verifiable audit pack.
What the appendix contains
After a hybrid TLS handshake, Qtangl captures:
- Negotiated cipher suite including ML-KEM hybrid KEX
- Certificate chain algorithms
- Trace metadata for auditor review
This attaches to signed reports with verify links — auditors check signatures independently.
Why proof matters
Assessors increasingly ask "show me hybrid TLS in production" — not "show me a roadmap slide." Handshake proof closes the loop between inventory (what you have) and migration (what you fixed).
Pilot path
- Inventory endpoints ready for hybrid rollout.
- Enable hybrid TLS on non-production path first.
- Run handshake proof scan and attach to remediation item.
- Re-scan production after cutover.
See /q-day/hybrid-tls for the full explainer and /docs/reference/pqc/handshake-prove for API details.
Continue on the Q-Day hub: Hybrid TLS proof guide
References & further reading
Authoritative primary sources cited in this article. Summaries are our own — follow links for full context.
Last verified 2026-06-03
- FIPS 203 — Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)NIST · 2024-08Standardized post-quantum key encapsulation (formerly Kyber).
- Cloudflare targets 2029 for full post-quantum securityCloudflare · 2026Cloudflare's accelerated PQ roadmap including post-quantum authentication milestones.
See your exposure with evidence
Run a live PQC inventory scan, export a CBOM, and verify signed reports independently.