Dear TLS WG, We have just submitted a new proposal, draft-yusef-tls-dual-certs-00, that extends TLS 1.3 to support authentication using two certificate chains: one using traditional algorithms and one using post-quantum (PQ) algorithms. This approach, aimed at closed environments and staged post-quantum migration, enables stronger session authentication by requiring both signatures to validate.
The proposal builds on existing TLS 1.3 mechanisms with minimal protocol changes. It introduces a dual signature algorithm extension and defines how dual certificate chains and signatures are structured, while preserving compatibility with Exported Authenticators. This mechanism complements existing proposals such as composite certificates (e.g., draft-reddy-tls-composite-mldsa), offering greater deployment flexibility, especially for systems that require support for independently validated classical and PQ credentials. It also helps with phased migration strategies where TLS endpoints have to deal with a mix of opinionated peers while limiting the need to create a zoo of PKI hierarchies to satisfy classic, pure PQ as well as all possible compositions of algorithms. We welcome your feedback and discussion on the proposal and the design specifics. Best Regards, Hannes, Mike, Rifaat, Tiru, Yaron and Yaroslav ---------- Forwarded message --------- A new version of Internet-Draft draft-yusef-tls-pqt-dual-certs-00.txt has been successfully submitted by Yaroslav Rosomakho and posted to the IETF repository. Name: draft-yusef-tls-pqt-dual-certs Revision: 00 Title: Post-Quantum Traditional (PQ/T) Hybrid Authentication with Dual Certificates in TLS 1.3 Date: 2025-06-18 Group: Individual Submission Pages: 27 URL: https://www.ietf.org/archive/id/draft-yusef-tls-pqt-dual-certs-00.txt Status: https://datatracker.ietf.org/doc/draft-yusef-tls-pqt-dual-certs/ HTML: https://www.ietf.org/archive/id/draft-yusef-tls-pqt-dual-certs-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-yusef-tls-pqt-dual-certs Abstract: This document extends the TLS 1.3 authentication mechanism to allow the negotiation and use of two signature algorithms to enable dual- algorithm hybrid authentication, ensuring that an attacker would need to break both algorithms to compromise the session. The two signature algorithms come from two independent certificates that together produce a single Certificate and CertificateVerify message. The IETF Secretariat -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
