In general - I concur, but there are nuances: sending root CA cert is mostly harmless, but mostly useless - except when there's a human on the receiving end that can and is allowed to make a decision to accept and trust that CA cert.
Re. PQC - even the "smallest" among them are much larger than what the Classic keys and signatures are. E.g., Falcon-1024 signature is 1330 bytes (or often less - say, 1200 bytes). Falcon-1024 public key is 1793 bytes. Compare to, e.g., ECC-384 sizes... NTRU public keys are "easier", but not by that much: 1230 bytes. Kyber public key is 1568 bytes. And I picked the *smallest* ones - those I'd consider using myself. There's also McEliece... __ -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare On 4/1/21, 10:23, "openssl-users on behalf of Michael Wojcik" <openssl-users-boun...@openssl.org on behalf of michael.woj...@microfocus.com> wrote: Thanks to everyone who responded. You've confirmed my impression: - There doesn't appear to be any applicable standard which requires or forbids including the root, or even endorses or discourages it). - It's harmless except for performance issues and possible low-severity flags from analyses like Qualys's. (I wouldn't be surprised to have a customer raise this -- many of our customers run various scanning tools -- but for the products I work with, customers configure certificate chains anyway, so it's not a product issue.) - Performance issues are likely negligible in many cases, where servers aren't dealing with huge workloads, but it's worth remembering that eventually people will be deploying PQC and most of the NIST finalists involve significantly larger keys or signatures. (They don't *all* have much larger keys/signatures; Falcon has a small combined public key and signature, if memory serves.) -- Michael Wojcik
Description: S/MIME cryptographic signature