With awareness on the quantum threat to cryptography finally rising, many are looking for experience on migrating to quantum safe cryptography. In our PQC workgroup, seven wildly different companies cooperate to build this experience together. In this talk we teach you what we learned by experimenting. Specifically we talk about our inventory Proof of Concepts, where we try different tactics to get an overview of the cryptography present in our organizations. We discuss how to get information from vendors, if you can reuse certificate issuing logs, how bad or good the current scanning tools work, why TLS 1.3 became an important focus. We contemplate on the effort versus effect of different inventory goals: finding vulnerable crypto, assessing risk, or prioritizing. We reflect on why it helps to do these experiments together. Why reinventing the wheel yourself can be a waste of time, but experimenting isn’t.
