> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL <u...@ll.mit.edu> > wrote: > > For a Web GUI with the user at the console (e.g., a Web browser), it might be > OK. > > For my needs (devices talking to each other over austere links), sending the > root CA very is both useless and wasteful. One you factor in the sizes of > Post-Quantum keys and signatures - you’ll start disliking this idea even > more.
There's no urgency in post-quantum keys for CA signatures in TLS. Their future weakness does not compromise today's traffic. Until actual scalable QCs start cracking RSA and ECDSA in near real-time only the ephemeral key agreement algorithm needs to be PQ-resistant now to future-proof session confidentiality. So certificates can continue to use RSA and ECDSA for quite some time. -- Viktor.