Post-Quantum Cryptography Alliance - Technical Advisory Council (TAC) Meeting 03 June, 2026

View Recording Recordings are also available on your Open Profile page under Past Meetings
Join the meeting
PQCA Meeting Calendar
Discord Server

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Voting Representative Attendance (Alphabetical by 1st name)

Premier Member Representatives

  • Brian Jarvis, AWS
  • Michael Maximilien, IBM
  • Norman Ashley, Cisco (OQS Rep)
  • Sophie Schmieg, Google

### Project Representatives

  • Matthias Kannwischer, TCR
  • Hanno Becker, AWS (PQCP)
  • Andreas Schade, IBM (CBOMkit)
  • Aditya Koranga, NgKore [TAC Chair]

Non-Voting Representative Attendance

LF Staff

  • Christina Harter
  • Hart Montgomery

Other Attendees

  • Joe Livingston, IBM
  • Christopher Robinson, OpenSSF
  • Jeff Diecks, OpenSSF
  • Kevin Micciche, HPE
  • Atadana, Africa Quantum Consortium
  • Katarina, Siemens
  • Sachin Kumar
  • AK

Meeting Agenda

  • LFX Mentorship mentee selection deadline extended to June 14th
  • OpenSSF team to discuss on baselines and more
  • PQCA webinar with AWS, recording now available
  • Blog: CBOMkit pipeline follow up
  • Project updates
    • OQS
    • CBOMkit
    • PQCP
    • Readiness Tracking WG

Discussion & Updates

OpenSSF Project Security Baseline Presentation

Aditya welcomed participants and introduced Chris Robinson (CRob) and Jeff from OpenSSF to present the OpenSSF Project Security Baseline initiative.

CRob explained that the baseline consists of 41 security controls organized into three maturity levels across eight cybersecurity domains, including access control, build security, vulnerability management, and incident response. The initiative aims to simplify security adoption for open source maintainers while helping downstream consumers better understand project security practices.

The presenters explained that:

  • Level 1 is intended to be approachable and achievable for most projects, typically requiring between 1–4 hours of effort.
  • Levels 2 and 3 introduce more advanced security controls and maturity requirements.
  • The baseline maps to 18 different security and compliance frameworks, including the EU Cyber Resilience Act (CRA) and NIST guidance.
  • OpenSSF provides several supporting tools, including:
  • Best Practices Badges
  • Security Insights
  • Darnit
  • Privateer
  • Integration with OpenSSF Scorecard, which is expected to incorporate all baseline controls by the end of the year.

The group discussed implementation approaches, including self-assessment checklists and automated tooling. CRob noted that Level 1 compliance can often be achieved quickly by experienced maintainers and that the maturity model is expected to remain stable through 2026, with annual reviews planned for future updates.

Applying Security Baselines to PQCA Projects

The TAC discussed how OpenSSF baselines might apply to PQCA projects and working groups.

Aditya noted that some PQCA efforts, such as documentation-focused working groups, differ from traditional software projects and may require slight adaptations of the framework. CRob responded that the baseline can be applied beyond code-centric projects and recommended using Level 1 as an initial starting point.

Questions were raised regarding:

  • Multi-factor authentication requirements
  • Long-term maintenance expectations
  • Automation versus manual verification
  • Applicability to cryptography-focused projects

Jeff emphasized that projects can tailor implementation approaches based on their specific use cases while still benefiting from the baseline framework.

The TAC agreed to review the baseline requirements against existing project processes and determine where adoption may provide value.

Project Updates

OQS

Norman shared that OQS continues coordinating with authors of NIST Round 3 finalist algorithms regarding potential integration efforts.

The team also discussed conference participation opportunities and potential mentorship involvement to support future algorithm integration work.

CBOMkit

Andreas reported ongoing discussions around C++ support within CBOMkit.

The team continues evaluating implementation approaches, including SonarQube-based and Antlr-based solutions, while reviewing several open pull requests. Additional work continues around repository maintenance and license-related review items.

PQCP

No representatives on the call.

Main updates:

mldsa-native:

  • v1.0.0-beta2 release, marking the completion of the RAM reduction work. See https://github.com/pq-code-package/mldsa-native/releases/tag/v1.0.0-beta2
  • Relaxed some internal bounds in preparation for a RV32-IM backend.

mlkem-native:

  • Working towards next release, hopefully including IBM’s PPC64 backend that is under active review+rework at the moment.

Readiness Tracking WG

No representatives on the call.

Next Steps / Action Items

Action Item Owner Status / Due Date
Follow up with CRob and Jeff regarding additional OpenSSF questions, including AI-related topics and CBOM/SBOM discussions Aditya Before next TAC meeting
Complete final review of the CBOMkit blog post with Brian and publish if approved Aditya This week
Reach out to Hart regarding the process for requesting conference funding and representation support Norman Before next TAC meeting
Coordinate with NIST Round 3 finalist authors regarding algorithm integration efforts and explore mentorship program support Norman Ongoing
Continue reviewing open pull requests related to C++ support and evaluate implementation approach options Andreas Ongoing
Connect with Aditya to discuss participation in the Readiness Tracking Working Group Atadana Before next TAC meeting
Share CRob and Jeff’s contact information with interested colleagues for follow-up discussions Kevin After meeting

Adjourned:
Adjourned at 8:02am PT.