The Biggest Shake-Up in PKI in 30 Years: What Google’s MTC Proposal Means for You
May 7, 2026
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson welcomes back Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to discuss Google’s groundbreaking announcement on Merkle Tree Certificates for post-quantum cryptography and why your organization needs to start preparing now.
This episode is sponsored by Keeper Security, the #1-rated password manager that is easy to use and protects every user on every device from cybercriminals. To receive 50% off personal and family plans visit https://keepersecurity.partnerlinks.io/kem9pq2bma2t
This episode is sponsored by Keeper Security, the #1-rated password manager that is easy to use and protects every user on every device from cybercriminals. To receive 50% off personal and family plans visit https://keepersecurity.partnerlinks.io/kem9pq2bma2t
In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson welcomes back Arvid Vermote, Chief Information Security Officer (CISO) at GlobalSign, to discuss Google’s groundbreaking announcement on Merkle Tree Certificates for post-quantum cryptography and why your organization needs to start preparing now.
What You’ll Learn:
- How Merkle Tree certificates solve the 14-kilobyte TLS handshake problem
- Why crypto agility and automation are non-negotiable survival skills
- How to build a complete cryptographic bill of materials
- The critical gap in non-browser TLS tooling
- How CAs are preparing with new hierarchies and technical overhauls
Arvid Vermote is the Chief Information Security Officer (CISO) at GlobalSign, where he leads the company’s global security, compliance, governance, and privacy strategy, ensuring that products and operations meet industry and regulatory standards while aligning with business objectives. Before joining GlobalSign, Arvid served as a Senior Manager at EY, where he delivered cybersecurity advisory services across EMEIA, co-led the Belgian Cybersecurity and Privacy practice, and was recognized as a global expert in PKI ecosystems and risk management.
If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.
YouTube Chapters:
- [00:00] Intro
- [00:25] The Size Problem with Post-Quantum Certificates
- [02:23] A Clear Vision for the Future of TLS
- [03:23] 2027 Root Program, 2028 Production Certificates
- [04:55] The Cryptographic Bill of Materials
- [06:22] Proof of Concept Already Underway
- [07:37] Automation Is Non-Negotiable
- [09:35] Non-Browser Tools and IoT
- [11:27] The CA/Browser Forum’s Role
Episode Resources:
- Arvid Vermote on LinkedIn
- GlobalSign Website
- View and Integrate Website
Key Takeaways:
- [00:25] The Size Problem with Post-Quantum Certificates
Post-quantum cryptography algorithms inflate TLS certificate exchanges from one kilobyte to 14, making it untenable for billions of daily transactions. Google, Cloudflare, and others have proposed Merkle Tree Certificates (MTCs), which replace traditional full chain-of-trust exchanges with verification against a CA-signed Merkle tree, dramatically cutting payload size and removing the biggest barrier to deploying post-quantum certificates at scale.
- [03:23] 2027 Root Program, 2028 Production Certificates
Google plans to launch its ML-KEM-based root program by 2027, with post-quantum certificates expected in production by 2028. For organizations, this doesn’t change planning timelines, but it does replace uncertainty with clarity. The certificate of the future is no longer a question mark; the direction is becoming concrete. Over the next two years, organizations should ensure their web server infrastructure can support post-quantum certificates. The stakes are straightforward: once browsers begin enforcing these standards, sites that can't serve compatible certificates will fail to establish secure connections, effectively losing visitors.
- [07:37] Automation Is Non-Negotiable
The transition to Multi-Trust Certificates demands major preparation. CAs must build and audit new trust hierarchies while adapting to a fundamentally different technical approach to validation and signing. For businesses, the message is simple: automation is no longer optional. Google’s proposed MTC root program will only accept ACME-based issuance with short-lived certificates of ten days or less. Organizations without internal automation should partner with a provider that can ensure timely certificate replacement at scale.
Quotes:
- “Rather than building the chain to the root, it will check whether it's embedded into a Merkle Tree that is signed by the CA itself. And doing it that way, it strongly reduces not only the size of the CA part and the certificate part on the TLS handshake, but it also improves the performance.”
- “It will be in the sense that it will allow people to use quantum resistance certificates in a production ready state because nobody really knows how it was going to work because of the TLS change size that I just explained that would be too big.”
- “Google is looking to operate its real MTC based route program, which would be a different route program compared to traditional TLS certificates by 2027. By 2028, we will already be seeing these certificates in production and actually customers being able to configure those types of certificates being searched from that web service.”
- “What we will likely see now is that if the standards will evolve, the TLS baseline requirements will be adopted to make sure that this new type of certificate and all the requirements around it will be captured within so that CAs can be audited against it.”
Trust.ID Talk: The Digital Certificate and Identity Security Podcast is handcrafted by our friends over at: fame.so