Observability for Post-Quantum TLS Readiness: A Multi-Surface Evidence Framework

TL;DR

This paper introduces a multi-surface framework for observability in post-quantum TLS, enabling comprehensive evidence collection and analysis across various TLS scenarios to assess quantum vulnerability readiness.

Contribution

It presents a novel multi-surface evidence framework that separates passive, active, and registry evidence for post-quantum TLS measurement and evaluation.

Findings

Passive evidence closes session-level planes.

Active probing establishes capability lower bounds.

Framework detects hybrid capabilities and endpoint discrepancies.

Abstract

Post-quantum migration in Transport Layer Security (TLS) requires evidence-aware measurements that distinguish session negotiation, endpoint capability, certificate-chain evidence, and the provenance of missing observations. This distinction is essential under TLS 1.3 encryption, resumption, mutual TLS, trace truncation, fragmentation, coalescing, active certificate retrieval, and temporal drift. We present a multi-surface framework for post-quantum TLS observability. The framework separates passive session evidence, active probing, certificate-chain evidence, and registry knowledge, and maps them onto measurement planes for session behavior, key establishment, endpoint capability, authentication, lifecycle, observability, and policy. We instantiate it as a reproducible artifact with schema-enforced observations and results, versioned registries, auditable inference rules, stress contracts, and baseline adapters. We evaluate the framework on 29 controlled scenarios spanning TLS 1.2 and TLS 1.3, classical and hybrid key establishment, mutual TLS, resumption, HelloRetryRequest, truncation, fragmentation and coalescing, temporal drift, IPv6, and chain-depth variation. Passive evidence closes session-level planes, active probing establishes capability lower bounds, and multi-surface evidence closes the full measurement object while preserving uncertainty and contradiction when required. Against an inherited TLS quantum-vulnerability analyzer, the baseline detects 2 of 29 runs and 0 of 23 TLS 1.3 runs. In a stratified public campaign over 1000 targets and 2000 fresh probes, the framework completes 1971 handshakes, collects 1368 chain artifacts, confirms hybrid capability for 310 targets, and identifies 310 cases where endpoint capability exceeds what any single classical session view reveals.