Dear Viktor, On Wed, Aug 6, 2025 at 4:14 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > On Wed, Aug 06, 2025 at 09:28:07AM +0200, Dmitry Belyavsky wrote: > > > We came across the following scenario: Server has 2 cert chains, PQ > > and classical, and prefers PQ. > > If this is for a public HTTPS server, my take is that it is premature > for the server to offer PQ certificates signed by non-WebPKI CAs. Since > there are no PQ roots in the WebPKI trust bundle, PQ HTTP server server > certificates are best avoided for now.
This is a test setup as of now and a not so long shot for the future. I understand your reasoning, but isn't it a sort of Catch-22? > So basically, the onus to do the interoperable thing is primarily on the > server: don't deploy certs the expected client community can't verify, > be they PQ or "classical". IRL web clients would have to do smth, I suppose? -- SY, Dmitry Belyavsky _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
