====== 5.1 PQ Security for Developers ======

[[.:business:sicherheit:was-ist-pq|Post-Quantum Cryptography]] in the Data Gateway.

===== Architecture =====

<code>
[Client + PQ Certificate]
        | TLS 1.3 (ML-KEM)
[Proxy :443]
        | Named Pipe
[Data Gateway API]
        |
[Database]
</code>

===== Zero Trust Model =====

  * No implicit trust
  * Every certificate is validated
  * Server decides on trustworthiness
  * Only "issued by us" certificates accepted

===== Certificate Hierarchy =====

^ Type ^ Purpose ^ Validity ^
| Root CA | Trust anchor | 10+ years |
| Intermediate CA | Signing | 2-5 years |
| Client Certificate | Authentication | 1 year |
| [[.:entwickler:sicherheit:ephemere-zertifikate|Ephemeral Certificate]] | Session key | Minutes |

===== Further Reading =====

  * [[.:entwickler:sicherheit:zertifikate|Certificate Authentication]]
  * [[.:entwickler:sicherheit:ephemere-zertifikate|Ephemeral Certificates]]
  * [[.:entwickler:sicherheit:tls-konfiguration|TLS 1.3 Configuration]]
  * [[.:business:sicherheit:nist-standards|NIST PQC Standards]]