On Mon, Oct 16, 2023 at 3:51 PM Andrei Popov <andrei.po...@microsoft.com> wrote:
> > - Where these interpretations conflict, the selection may be > downgraded, potentially even under attacker influence. > > Downgrade by attacker is only possible if the client attempts insecure > fallback (e.g., offer PQ key share, connection failed, retry without PQ key > share)? > > Or am I missing some other possible downgrade attack? > I think perhaps. The problem is that PQ key shares are going to be split across packets, and some software is going to break. This is just because our current ClientHellos fit in one packet (or maybe a few, the more you add, the worse it gets). But how are you going to detect whether there's a crappy TCP/IP stack or an attack? You can't. So, as the new things roll out, this will happen. It's not really an interesting problem, but it is real. Think of how TLS 1.3 handshakes pretend to be something older. It's that sort of thing. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls