Tim, you might be happy with cryptography that is sufficient against the local Wifi provider. Some of us deal with scenarios where nation-state actors are a legitimate threat. I believe that this working group needs to keep that in mind.
Also, attacks against authentication need not involve MITM - another approach would be an impersonation attack, which is easy if mTLS is involved. ________________________________ From: [email protected] <[email protected]> Sent: Wednesday, April 22, 2026 6:57 PM To: Blumenthal, Uri - 0553 - MITLL <[email protected]> Cc: [email protected] <[email protected]> Subject: [TLS] Re: Working Group Last Call for Use of ML-DSA in TLS 1.3 Blumenthal, Uri - 0553 - MITLL <[email protected]> hat am 22.04.2026 21:52 CEST geschrieben: There can be arguments about the life expectancy of hybrids - from zero to CRQC appearance - but can be no objection to the point that once CRQC is here, only pure PQ will make sense. How do you come to this conclusion? Do you assume that CRQCs will quickly become a cheap commodity? My current understanding of the projected developments is that quantum computers will be very expensive for the foreseeable future and that even well-financed attackers (e.g. nation-state actors) will only have a limited throughput of keys to crack. In the short term, even just keeping the capability secret might be valuable enough to severely limit its use. Following this projection, I would assign significant probability to a scenario where only high-value keys are at risk in the near term. Most PKIs and most TLS usage *outside of the web* would then be pretty safe against quantum computing attacks. Even more so when the authentication keys are not part of a PKI at all, e.g. self-signed certificates (or raw public keys) for use in IoT/OT. You could even make the point that authentication keys are the keys where classical cryptography will retain its value the longest, as you always need MitM attacks for compromises, which usually have a higher risk profile for the attacker. At the very least, I'd say ECDSA will be good enough for the foreseeable future to prevent attacks from the typical local WiFi provider (coffee shop, etc.). Of course, any discussion about hybrids/composites is moot if you believe the security of the chosen PQC to be beyond any doubt. Best regards, Tim Beckmann
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
