Comment by BoppreH

That's because of the difference between Confidentiality goals and Authenticity goals.

If I send you a document encrypted with classical crypto today, an attacker could grab a copy, wait a few years, then decrypt with a quantum computer (Harvest-Now-Decrypt-Later). The contents of the document I sent today are exposed in the future.

For documents/transmissions that must remain confidential for 10 years, assuming a quantum computer available in 2030, you should have been encrypting them with PQC since 2020! And if deploying PQC for your clients and servers takes two years, you should have started migrating in 2018!

But if I send you a signed document, it's safe because you're verifying the signature today and there are no quantum computers available today to forge a new signature. The same goes for SSH authentication and web certificates, for example. They're safe right until the moment quantum computers arrive (and by then you better have a good solution!).

That's why so many open-source projects already support ML-KEM for key exchange/encryption, but signatures are still under discussion. The former is more urgent.