Hi Michael, just one clarification (though I don't think it changes your analysis very much):
> I understand calling this a downgrade attack, but I think it deserves a > more > specific name. Given existence of a CRQC, then it's effectively the same > as > at least one end point revealing their private key. > You're thinking of the key-compromise impersonation attack. There is also the identity misbinding attack, which doesn't require either end point to reveal their key. (Imagine each endpoint is using ML-DSA for signing.). See [1] for details. Best, Chris P. [1] https://datatracker.ietf.org/doc/html/draft-smyslov-ipsecme-ikev2-downgrade-prevention-01#section-4-7
_______________________________________________ IPsec mailing list -- ipsec@ietf.org To unsubscribe send an email to ipsec-le...@ietf.org
