You are right - there’s no urgency in PQ signatures. 

However, PQ KEM keys aren’t small. And, as I said, für austere links every 
unnecessary byte of crap hurts. 

Also, sending root certs seems (marginally) useful only when the recipient is a 
Web browser. And even then I  assume most of the IT people would want to block 
the ability of a “mere” user to add an “unblessed” trusted root. 


> On Mar 31, 2021, at 14:15, Viktor Dukhovni <> wrote:
>> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL 
>> <> wrote:
>> For a Web GUI with the user at the console (e.g., a Web browser), it might 
>> be OK. 
>> For my needs (devices talking to each other over austere links), sending the 
>> root CA very is both useless and wasteful. One you factor in the sizes of 
>> Post-Quantum keys and signatures - you’ll start disliking this idea even 
>> more. 
> There's no urgency in post-quantum keys for CA signatures in TLS.  Their
> future weakness does not compromise today's traffic.  Until actual scalable
> QCs start cracking RSA and ECDSA in near real-time only the ephemeral key
> agreement algorithm needs to be PQ-resistant now to future-proof session
> confidentiality.
> So certificates can continue to use RSA and ECDSA for quite some time.
> -- 
>    Viktor.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to