On Wed, Aug 06, 2025 at 05:01:06PM +0200, Dmitry Belyavsky wrote:
> > So basically, the onus to do the interoperable thing is primarily on the
> > server: don't deploy certs the expected client community can't verify,
> > be they PQ or "classical".
>
> IRL web clients would have to do smth, I suppose?
Ultimately, when TA negotiation is available, and any "privacy" issues
are resolved, the client may signal which TAs it supports, and servers
may try to choose a chain that comports with the client's supported TAs.
For now, servers need to be mindful to not offer certs that might prove
problematic to their clients. So PQ certs are primarily for in-house
garden deployment, but DANE SMTP (usages DANE-EE(3) and DANE-TA(2) are
also viable). Of course DNSSEC is presently classical only, so for now
the DANE PKI remains exposed to "classical" attacks.
The trickle of ML-DSA authenticated SMTP traffic to my mail server is
more an implementation/interoperability testing exercise than a defense
against cryptographically relevant quantum computers (that might show up
some day).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
