Let's Encrypt announced plans to implement Merkle Tree Certificates (MTCs) as its path to post-quantum web PKI. The certificate authority will target late 2026 for a staging environment and 2027 for production, representing a significant shift in how websites secure their TLS connections against future quantum computing threats.

Traditional post-quantum signature schemes like ML-DSA create massive overhead. A single ML-DSA-44 signature spans 2,420 bytes compared to just 64 bytes for ECDSA-P256. With five signatures and two public keys per typical handshake, post-quantum certificates would push TLS connections past 10 kilobytes, causing failures on real-world networks and degrading performance for all users.

MTCs solve this by batching certificates under a single signature. Browsers fetch batch signatures separately from TLS handshakes, keeping the common case authentication path to one signature and one public key. This approach also builds certificate transparency directly into issuance, eliminating the need for separate logging infrastructure that current certificates require.

Chrome has already endorsed MTCs as its preferred post-quantum path, and Cloudflare is testing the design against live traffic. The transition requires updates across ACME clients, browsers, and libraries, but Let's Encrypt will maintain its free, automated certificate model. Server operators should enable hybrid post-quantum key exchange now, as encryption threats are more immediate than authentication concerns.