On Thu, Apr 30, 2026 at 10:32:33AM +0200, Muhammad Usama Sardar wrote: > Hi Stephen, > > On 30.04.26 01:25, Stephen Farrell wrote: > > I wonder if anyone has explored > > whether it'd be useful to look at defining a way in which a > > server (or, I guess, a client) could authenticate using more > > than one CertificateVerify message? > > Yes, please see Sec. 9.1.2 of [0]. The detailed design and formal analysis > of this is in a paper that we submit next week. Happy to share that off-list > if you are interested. > > As Ekr pointed out, [1] is a good start. I believe authors have done good > work. If you (and others) find out that it is potentially useful direction, > please attest to it in the thread [2] to move this work forward.
As already pointed out, that draft messes with TLS library APIs in bad ways. Furthermore, to me the design seems dangerous due to excessive flexibility. As bad hybrids are, this seems _way_ worse. > In my understanding, at least 21 member states of the EU need hybrids. We > have to do something for them. How many of those are just recommendations? Of those that are not, to whom those apply to? Do those also apply to signatures? And the requirements better come with security profile standards. > So I read "way too complicated" mentioned in > the thread as "let's get started with some serious work rather than > doing hacks like standalone ML-DSA." There is nothing hacky about stand-alone ML-DSA in TLS 1.3. In contrast, hybrids are a hack (and also trouble outside few cases, which happen to include TLS 1.3 key exchange). -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
