You are right - there’s no urgency in PQ signatures. However, PQ KEM keys aren’t small. And, as I said, für austere links every unnecessary byte of crap hurts.
Also, sending root certs seems (marginally) useful only when the recipient is a Web browser. And even then I assume most of the IT people would want to block the ability of a “mere” user to add an “unblessed” trusted root. Regards, Uri > On Mar 31, 2021, at 14:15, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > > >> >> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL >> <u...@ll.mit.edu> wrote: >> >> For a Web GUI with the user at the console (e.g., a Web browser), it might >> be OK. >> >> For my needs (devices talking to each other over austere links), sending the >> root CA very is both useless and wasteful. One you factor in the sizes of >> Post-Quantum keys and signatures - you’ll start disliking this idea even >> more. > > There's no urgency in post-quantum keys for CA signatures in TLS. Their > future weakness does not compromise today's traffic. Until actual scalable > QCs start cracking RSA and ECDSA in near real-time only the ephemeral key > agreement algorithm needs to be PQ-resistant now to future-proof session > confidentiality. > > So certificates can continue to use RSA and ECDSA for quite some time. > > -- > Viktor. >
Description: S/MIME cryptographic signature