> On 21 May 2019, at 2:08 pm, Hugo Krawczyk <h...@ee.technion.ac.il> wrote: > > A clarification on the text suggest below by Russ. > > The way I see it, the external PSK as used in > draft-ietf-tls-tls13-cert-with-extern-psk is not intended as a means of > authentication but as a way of regaining forward secrecy in case the (EC)DHE > mechanism is ever broken (e.g., by cryptanalysis or by a quantum computer).
It’s a bit problematic if the expected use of the draft is with quantum-resistant certificates, because TLS doesn’t support those yet. If that’s the intent, shouldn’t the draft say something like "The server MUST choose a quantum-resistant algorithm when considering those listed in signature_algorithms_cert and/or signature_algorithms. The client MUST supply at least one quantum-resistant algorithm in signature_algorithms, and in signature_algorithms_cert if present.” ? But that makes it unimplementable until such an algorithm is specified... _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls