Hi Stephen, The authors of the draft that Ekr referenced below are working on a new version of the draft to address the feedback we received when this was presented in Madrid. There is also an ongoing discussion that includes different interested parties from different organizations and universities that are interested in such a solution.
Happy to chat about this offline if you'd like. Regards, Rifaat On Wed, Apr 29, 2026 at 7:58 PM Stephen Farrell <[email protected]> wrote: > > Hiya, > > On 30/04/2026 00:36, Eric Rescorla wrote: > > Even stipulating for the moment that it's good to sign with multiple > > certificates, I do not believe that this is the correct approach to doing > > so. > > I wouldn't class my question as really proposing an approach, > more as wondering if there's interest in tackling the problem > of composite signatures requiring servers to have to have loads > of uselessly different certs to do be able to make the composite > signatures that a variety of clients might need. > > > If we're going to do something here, something more like > > https://datatracker.ietf.org/doc/draft-yusef-tls-pqt-dual-certs/ seems > like > > a better starting point. > > Sure, that'd certainly be a more real starting point, though I > suspect there'd be lots of work required still. (Thanks for the > ref though, I'd not read that before.) > I guess a better form of my question is whether there's interest > in tackling that server configuration issue for those who would > like to have both traditional and PQ authentication (for some > period)? > > Cheers, > S. > > > > > > -Ekr > > > > > > On Wed, Apr 29, 2026 at 4:27 PM Stephen Farrell < > [email protected]> > > wrote: > > > >> > >> Hiya, > >> > >> Given that it may be the case that getting certificates for > >> composite signing keys could be impractical and also involve > >> a combinatoric explosion in the number of credentials severs > >> would need to have available, I wonder if anyone has explored > >> whether it'd be useful to look at defining a way in which a > >> server (or, I guess, a client) could authenticate using more > >> than one CertificateVerify message? > >> > >> I guess that figuring that all out, and getting it implemented > >> and deployed would involve a pile of work, but ISTM it might > >> be useful, hence the question:-) > >> > >> Cheers, > >> S. > >> > >> PS: If this isn't a bonkers idea, I'd be willing to do work on > >> it, for whatever that'd be worth:-) > >> > >> _______________________________________________ > >> TLS mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> > > > > _______________________________________________ > TLS mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
