On Thu, Jun 19, 2025 at 08:12:11AM +0200, Yaroslav Rosomakho wrote:
> > Why is it impossible to have a classical and pure PQ PKI, and then
> > have clients signal support for which to show, to enable transition?
> > This is what we already have, and already has worked.
>
> It is perfectly possible if you only have clients that require either
> classical or pure PQ signatures. In that case you don’t need dual
> certificates or composite certificates. But clients requiring PQ/T -
> that is both PQ and traditional signature at the same time - would
> need a separate PKI with composite certificates (such as those
> proposed in draft-reddy-tls-composite-mldsa) or dual certificates
> proposed in this draft.
Yes, but unlike the proposal under discussion, composite certificates do
not require new TLS protocol features, just support for composite
signature algorithms and keys, which will also be used in other
protocols. The "dual" certificates proposed here don't appear to be
warranted.
--
Viktor.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
