> To clarify, are you continuing to claim that there's "no damage possible > (at least, in the TLS context) caused by PQ DSA break", despite the > facts that (1) upgrades often take a long time and (2) attackers aren't > going to announce their secret attacks?
For (1) I call it not an “upgrade” (i.e., to something new and often untested yet), but a “downgrade” – reverting to the “old mature and well-tested ECC code”. Shouldn’t take long at all. For (2) – why do you assume there are no secret attacks against ECC? Merely because you couldn’t find one, and nobody announced it yet? >> then don’t move to PQ DSA until either CRQC is announced > > That would be too late. It completely fails to address the large risk of > quantum attacks happening before the first public attack demos, plus it > leaves users vulnerable during the upgrade period. You don’t really need PQ DSA until CRQC is here. At this point, everybody seems to agree that there is time before CRQC arrives. So, keep studying/exploring/attacking PQ DSA, and prepare code and infrastructure to deploy it – but use ECC for now. It will also
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org