> So you'd ask each server to install say 20 certificates for each domain: > one for each composite?
Not quite. Each server (and opt. by symmetry, client, but let's keep it simple) would be given one composite certificate. This seems common practice with today's server software and PKI usage even outside the web, even if the server supports multiple certificates. That is just a special case of what I said. I view this as the server supporting the cross product of one traditional algorithm and one PQ algorithm. If most clients similarly implement a cross product of their supported algorithms then any incompatible client will not support either the PQ part or the T part of the composite. In the former case, we would have the same interop problem even without hybrids, and in the latter we would have it today. -- TBB
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
