Hi,
We expect the migration of TLS endpoints to PQC to span several years. During this period, many clients will likely be configured to accept both traditional and PQ signatures or certificates, creating a potential for rollback attacks. Tiru and I have posted a draft proposing a simple solution based on TLS signaling combined with a client-side caching mechanism. This approach is inspired by HSTS but operates at the TLS layer rather than the HTTP layer.
Thanks,
Yaron
A new version of Internet-Draft draft-sheffer-tls-pqc-continuity-00.txt has
been successfully submitted by Yaron Sheffer and posted to the
IETF repository.
Name: draft-sheffer-tls-pqc-continuity
Revision: 00
Title: PQC Continuity: Downgrade Protection for TLS Servers Migrating to PQC
Date: 2025-10-19
Group: Individual Submission
Pages: 9
Abstract:
As the Internet transitions toward post-quantum cryptography (PQC),
many TLS servers will continue supporting traditional certificates to
maintain compatibility with legacy clients. However, this
coexistence introduces a significant vulnerability: an undetected
rollback attack, where a malicious actor strips the PQC or Composite
certificate and forces the use of a traditional certificate once
quantum-capable adversaries exist.
To defend against this, this document defines a TLS extension that
allows a client to cache a server's declared commitment to present
PQC or composite certificates for a specified duration. On
subsequent connections, clients enforce that cached commitment and
reject traditional-only certificates that conflict with it. This
mechanism, inspired by HTTP Strict Transport Security (HSTS) but
operating at the TLS layer provides PQC downgrade protection without
requiring changes to certificate authority (CA) infrastructure.
The IETF Secretariat
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
