The EU’s Digital Product Passport requires attestations for batteries that last 15 years. For construction products, the lifecycle is 50 to 100 years. A signed attestation about the structural steel in a building being constructed today needs to be verifiable in 2076.

Who runs the post-quantum key migration for those attestations in 2045?

This is not a rhetorical question. NIST finalized its post-quantum cryptographic standards in 2024. Every signature scheme in use today — RSA, ECDSA, EdDSA — is expected to be breakable by a sufficiently capable quantum computer within the next two decades. An attestation signed today with Ed25519 is secure now. In 2045, it might be trivially forgeable.

The archival problem.

Short-lived attestations — an agent verifying a transaction that settles in seconds — do not have this problem. The signature is checked immediately and the verification is complete before the cryptography becomes obsolete.

Long-lived attestations have a different lifecycle. The signature must remain verifiable for decades. The key that signed it must remain traceable to the signing entity. The revocation infrastructure must remain operational. The verification software must remain compatible.

Each of these requirements maps to a maintenance obligation that someone must fulfill for the entire lifecycle of the attestation. If the signing entity dissolves in 2035, and the key management infrastructure shuts down in 2040, and the quantum migration happens in 2045 — who re-signs the attestation with a post-quantum key? Who pays for that migration? Who even knows the attestation exists?

Archival cryptography as design discipline.

The technical solutions exist in theory: hash-based signature schemes that are quantum-resistant by construction, timestamp authorities that anchor signatures to a verifiable moment in time, and key migration protocols that re-sign existing attestations under new schemes while maintaining the provenance chain.

What does not exist is a design discipline for cross-temporal attestations. Nobody is thinking about the UX of verifying a 50-year-old claim. Nobody is designing the governance structures that ensure migration happens. Nobody is building the business models that fund the maintenance of attestation infrastructure across decades.

This might be the least glamorous and most important infrastructure problem in the attestation space. Signing a claim is easy. Maintaining it for 50 years is a discipline that does not exist yet.