The unauthenticated HPKE modes have been defined using KEM primitives, and it's very easy to slot post-quantum KEM into them. The authenticated modes require AKEM or NIKE primitives, for which we don't really have good solutions right now.

The section on email submission makes a reference to ECH, which I do not understand, but otherwise states that "there are no specific recommendations for SUBMISSION beyond {{ech}}".

HTTPS is fully delved into and has the exact same requirements as email submission: note that email submission also often involves the exchange of authentication tokens or passwords!

Can UTA make such bold requirements?

If the TLS server is not happy with pre-quantum algorithms, then it should simply send the "insufficient_security" alert defined in RFC 8446 and terminate the connection. Otherwise you're still establishing a TLS connection with bad security, which seems like the kind of thing that we got rid of when browsers stopped letting you just click through the "bad certificate" warnings.

E.g. section "Authentication" uses PQ/T, but the section on data confidentiality only uses "hybrid"

@OR13 I think it would be worth teasing apart the CA / signing issues with CRQCs from the encryption ones, perhaps a diagram or 2 could help here.