> To clarify, are you continuing to claim that there's "no damage possible
> (at least, in the TLS context) caused by PQ DSA break", despite the
> facts that (1) upgrades often take a long time and (2) attackers aren't
> going to announce their secret attacks?


For (1) I call it not an “upgrade” (i.e., to something new and often untested 
yet), but a “downgrade” – reverting to the “old mature and well-tested ECC 
code”. Shouldn’t take long at all. 
For (2) – why do you assume there are no secret attacks against ECC? Merely 
because you couldn’t find one, and nobody announced it yet? 

>> then don’t move to PQ DSA until either CRQC is announced
>
> That would be too late. It completely fails to address the large risk of
> quantum attacks happening before the first public attack demos, plus it
> leaves users vulnerable during the upgrade period.


You don’t really need PQ DSA until CRQC is here. At this point, everybody seems 
to agree that there is time before CRQC arrives. So, keep 
studying/exploring/attacking PQ DSA, and prepare code and infrastructure to 
deploy it – but use ECC for now. It will also 






Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to