In general - I concur, but there are nuances: sending root CA cert is mostly harmless, but mostly useless - except when there's a human on the receiving end that can and is allowed to make a decision to accept and trust that CA cert.
Re. PQC - even the "smallest" among them are much larger than what the Classic
keys and signatures are. E.g., Falcon-1024 signature is 1330 bytes (or often
less - say, 1200 bytes). Falcon-1024 public key is 1793 bytes. Compare to,
e.g., ECC-384 sizes... NTRU public keys are "easier", but not by that much:
1230 bytes. Kyber public key is 1568 bytes. And I picked the *smallest* ones -
those I'd consider using myself.
There's also McEliece... __
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
On 4/1/21, 10:23, "openssl-users on behalf of Michael Wojcik"
<openssl-users-boun...@openssl.org on behalf of michael.woj...@microfocus.com>
wrote:
Thanks to everyone who responded. You've confirmed my impression:
- There doesn't appear to be any applicable standard which requires or
forbids including the root, or even endorses or discourages it).
- It's harmless except for performance issues and possible low-severity
flags from analyses like Qualys's. (I wouldn't be surprised to have a customer
raise this -- many of our customers run various scanning tools -- but for the
products I work with, customers configure certificate chains anyway, so it's
not a product issue.)
- Performance issues are likely negligible in many cases, where servers
aren't dealing with huge workloads, but it's worth remembering that eventually
people will be deploying PQC and most of the NIST finalists involve
significantly larger keys or signatures. (They don't *all* have much larger
keys/signatures; Falcon has a small combined public key and signature, if
memory serves.)
--
Michael Wojcik
smime.p7s
Description: S/MIME cryptographic signature
