On 8/6/25 12:28 AM, Dmitry Belyavsky wrote:
Dear colleagues,
We came across the following scenario:
Server has 2 cert chains, PQ and classical, and prefers PQ.
A client doesn't have any PQ CAs configured, but at the handshake
sends PQ sigalgs among others. The server replies with the PQ chain,
the client can't verify it, and the connection can't be established.
This is the same situation as you having a private certificate chain. If
you have a private chain, and the server uses that chain, then you won't
be able to connect. This isn't unique to ml-dsa. IIRC the client sends a
list of acceptable roots and the server is supposed to stay within
that. That may be adjusted in existing servers because they all 'know'
what root stores you have and assume if you are using a private chain,
you have already included the private root.
Upshot this isn't ML-DSA specific, it happens whenever you are dealing
with your own private root store or spinning up a new root CA.
We've discussed it and see the following scenarios:
1. Consider it to be a client misconfiguration. To prevent this from
happening, the client is better not to send PQ algos in sigalgs. To
not send PQ algos, clients should scan CAs and stop sending PQ algos
if no PQ CAs are available.
As pointed out, the ML-DSA server cert could be cross signed, the client
has no way of knowing this will happen.
2. "Smart" clients (e.g. web browsers) should implement fallback from
PQ to classical algorithms if PQ connection can't be established. I
vaguely recollect that there were browsers downgrading the protocol
from TLS 1.3 to TLS 1.2 (and may be lower) at least several years ago
but couldn't find the description of this behavior.
This is highly discourages. Doing so delayed the update of many broken
SSL implementations and creates possible downgrade scenarios the TLS
protocol was designed to prevent.
3. Cross-signing PQ certs with classic crypto algorithms, as it
happened before. It ensures the best client experience. The downside
of this behavior is that we have to sign a stronger cert with a weaker
CA, and personally I suspect some browsers forbid such chains.
We test cross signed certificates as part of your nomal test suite, so
yes that should work.
bob
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
