Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- PQC_Status

Story Points:
8
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
AssignedTeam:
rhel-container-tools
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Allow requiring TLS 1.3 and ML-KEM (Post-Quantum Cryptography) support for container-libs in sigstore signing.

~~RUN-4080~~ covers most of container-libs; this tracks the outstanding work:

Rekor support for BaseTLS exists, but is not exposed to callers
The Fulcio client currently doesn't expose a *tls.Config . We need to either add that upstream, or replace the client.
Three different Go modules are involved in the OIDC operations required for Fulcio; at least the sigstore one doesn’t expose a *tls.Config. See whether that can be worked around, and if not, either add that upstream, or replace the code.

Acceptance Criteria:

TLS 1.2 remains the default for Podman

TLS version can be configured in the configuration files to use 1.3

ML-KEM-exclusive can be enabled

blocks

RUN-4078 [EPIC] [PQC] Enable TLS 1.3 with ML-KEM support in container tools on RHEL 9

In Progress

clones

RUN-4080 [PQC] Allow requiring TLS 1.3/ML-KEM for container-libs – most parts

Closed

Assignee:: Miloslav Trmač

Reporter:: David Darrah

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2026/02/06 10:54 PM

Updated:: 2026/02/06 11:01 PM