On Mon, Oct 16, 2023 at 5:52 PM Andrei Popov <andrei.po...@microsoft.com> wrote:
> > - But how are you going to detect whether there's a crappy TCP/IP > stack or an attack? You can't. > > Understood. This is a general problem with insecure client-side fallbacks. > Sure, but I think the aim is to say that the server does support Kyber (or something else as large), because there will be a period where the reason for a failure will be unclear. So, do you see how the DNS signal works around that? I think the idea is that if the DNS record says the server supports Kyber (or whatever), the client might not want to allow X25519. There's just going to be a lot of broken stuff for a while, even if the actual server does support a PQ algorithm. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls