On Tue, Jan 2, 2024 at 3:30 PM Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> wrote:
> Those who can move to 1.3+, will do so, regardless of this draft. Those > who can’t, would do whatever’s appropriate in their case – again, > regardless of this draft. > > > > Same as for any other IETF document. :) > > > > One difference in the current wording is that it would become trivially > more difficult to get a multi-vendor PQ solution for current TLS 1.2 > implementations. Assuming, of course, that “just use what was defined for > TLS 1.3 or later” somehow doesn’t occur to everyone. > It is more difficult than "just use what was defined for TLS 1.3 or later". TLS 1.2 has a downgrade attack where a MitM can force a broken commonly supported group even if the handshake signature is secure/PQ (CurveSwap). TLS 1.3 fixed that. I do have to add that the scope (I can imagine now) is limited: it affects clients that can disable classical authentication, but cannot disable classical key agreement everywhere. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls