[TLS] Re: anyone interested in multiple CertificateVerify messages?

Thu, 30 Apr 2026 08:42:32 -0700 

On Thu, Apr 30, 2026 at 02:56:01PM +0000, Bellebaum, Thomas wrote:

> Assume we use plan 2 and a client implementing the cross product of
> its chosen algorithms, while connecting to some server, fails to
> validate a certificate issued by (say) CAi. By deduction, it cannot
> validate PQi+Ti, so it either cannot validate PQi (meaning this
> connection would have also failed, had we followed plan 1) or it
> cannot validate Ti (meaning this connection would have failed now).

No, this assumes that each client library will implement and, either by
default, or in typical client configurations, include among its
supported signature algorithms TLS codepoints associated with at least
each of:

    id-MLDSA44-ECDSA-P256-SHA256
    id-MLDSA44-Ed25519-SHA512
    id-MLDSA44-RSA2048-PKCS15-SHA256
    id-MLDSA44-RSA2048-PSS-SHA256

    id-MLDSA65-ECDSA-P256-SHA512
    id-MLDSA65-ECDSA-P384-SHA512
    id-MLDSA65-ECDSA-brainpoolP256r1-SHA512
    id-MLDSA65-Ed25519-SHA512
    id-MLDSA65-RSA3072-PKCS15-SHA512
    id-MLDSA65-RSA3072-PSS-SHA512
    id-MLDSA65-RSA4096-PKCS15-SHA512
    id-MLDSA65-RSA4096-PSS-SHA512

    id-MLDSA87-ECDSA-P384-SHA512
    id-MLDSA87-ECDSA-P521-SHA512
    id-MLDSA87-ECDSA-brainpoolP384r1-SHA512
    id-MLDSA87-Ed448-SHAKE256
    id-MLDSA87-RSA3072-PSS-SHA512
    id-MLDSA87-RSA4096-PSS-SHA512

this is based on what's presently in:

    
https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-sigs-19#section-8.1.2

Which makes (so far) for 18 signature schemes instead of 3, with 18
public key and signature formats to implement.  The list will grow...

If we're truly expecting CrQCs by ~2029, for example:

    https://scottaaronson.blog/?p=9718

the composites are all pointless.  Support for just "mldsa44" and
perhaps "mldsa65" (or their PQ-only replacements) should suffice for
mainstream public sites.  TLS software libraries can implement
"mldsa87", but perhaps not include it in the default list of supported
signature algorithms.  Sufficiently motivated server operators and their
specific clients can opt-in to configurations that also support
"mldsa87".

Meanwhile, I intend to sit out support for composites: whether we need
them or not should become more clear in the not too distant future.

-- 
    Viktor.  🇺🇦 Слава Україні!

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to