all indications are that post-quantum crypto will make signatures much
larger than today's RSA does. we may need a larger initial window size,
and we may someday want MTU's larger than the one the internet inherited
from the 1983 10Mbit/sec ethernet standard. but use of ECDSA should help
avoid the size problem until well after QUIC's ubiquitous deployment, in
case we prefer to let the next generation grapple with this instead of
us here/now.
vixie
re:
Luke Curley wrote on 2023-03-31 04:45:
I briefly mentioned an issue in chat.
I was trying to debug why the QUIC handshake was taking 2-RTTs. Well it
turns out that our production certificates are laaarge; the RSA cert and
some intermediates added up to over 5.5kB.
So the client would send a ClientHello padded to 1.2kB. The server would
only be able to send 3.6kB before hitting the amplification limit, and
would have to wait for an acknowledgement (padded again to 1.2kB) before
it could send the next 3.6kB.
Fortunately we didn't need a 3rd round trip. The easy fix is to use an
ECDSA certificate but somehow they weren't supported internally...
--
P Vixie