On Thu, Apr 30, 2026 at 12:59 PM Bellebaum, Thomas <thomas.bellebaum= [email protected]> wrote:
> > So you'd ask each server to install say 20 certificates for each > domain: > > one for each composite? > > Not quite. Each server (and opt. by symmetry, client, but let's keep it > simple) would be given one composite certificate. If we assume servers only install one composite certificate, then the clients need to accept all composites if it wishes to visit all servers. As security crucially only depends on what the client accepts and not what the server provisions, this means we also cannot accept a preference for different composites based on security. So why prefer one composite over another? (Just support all variants is easier said than done, certainly if clients are constrained and need hardware acceleration. This is of course a bit farther from my usual field, but I'm sure there are folk on this list that are not very enthusiastic having to implement every ECC curve for which a composite is defined.) > I view this as the server supporting the cross product of one traditional > algorithm and one PQ algorithm. I'm confused now. Are we talking about composite or are we talking about Stephen's suggestion? Best, Bas
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
