Dear colleagues, We came across the following scenario: Server has 2 cert chains, PQ and classical, and prefers PQ.
A client doesn't have any PQ CAs configured, but at the handshake sends PQ sigalgs among others. The server replies with the PQ chain, the client can't verify it, and the connection can't be established. We've discussed it and see the following scenarios: 1. Consider it to be a client misconfiguration. To prevent this from happening, the client is better not to send PQ algos in sigalgs. To not send PQ algos, clients should scan CAs and stop sending PQ algos if no PQ CAs are available. 2. "Smart" clients (e.g. web browsers) should implement fallback from PQ to classical algorithms if PQ connection can't be established. I vaguely recollect that there were browsers downgrading the protocol from TLS 1.3 to TLS 1.2 (and may be lower) at least several years ago but couldn't find the description of this behavior. 3. Cross-signing PQ certs with classic crypto algorithms, as it happened before. It ensures the best client experience. The downside of this behavior is that we have to sign a stronger cert with a weaker CA, and personally I suspect some browsers forbid such chains. Are there any other scenarios we are missing? Is this topic relevant for TLS, PQUIP, or some other community (e.g. CA/Browser forum)? -- SY, Dmitry Belyavsky _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
