On Thu, Jun 19, 2025, at 13:57, Viktor Dukhovni wrote: > It is far from clear that such hedging is needed for authentication > certificates.
I'm starting to think that some hedging here is appropriate. There could be a period of time where there is uncertainty about whether a CRQC exists, but they also have latent uncertainty about the PQ algorithms. I do agree with Viktor's points about TLS though. We have the tools. There is a far less disruptive option. The whole thing where there are multiple leaf certificates (and certification paths) concerns me. Is this the agreed and established approach for solving this problem in LAMPS (or other groups that are debating this point more closely)? Even if we had this approach, using signature schemes and defining how a single signature can be comprised of two signatures and then how that means you need to look for two certificates (and certification paths) is a much better fit for the design of TLS. It only requires the definition of the scheme, not a change to how certificates are negotiated. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
