> > Let's start with two fully migrated endpoints: > > [...] > This sounds like you suggest combining the classical chain for a legacy > client with the post-quantum chain. How do you address the problem I > pointed out that you don't want upgraded clients to accept the classical > chain for the legacy client?
I don't. See the first sentence above :) > To wit: the classical certificate for a legacy server obviously has a > classical leaf, but a post-quantum chain. That could be composite. The > present proposal does not recover composites there as that would require a > server upgrade. If there isn't a way to do that, then the present proposal > has no value, as clients are only as secure as the weakest thing they > accept. The idea was to replace every PQ-only signature with a composite, which in the above legacy-server setting would apply to the chain, not the end entity certificate. Not sure what you mean by "recover", but the problem is somewhat orthogonal to the PQ-only vs. composite debate, since a legacy server is forced to sign traditionally either way. -- TBB
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
