Hi Yaron, Doesn’t draft-ietf-tls-trust-anchor-ids with certification paths already enable this? The client can find out if the server supports a quantum-resistant PKI and not accept a classical one.
From: Yaron Sheffer <[email protected]> Sent: Sunday, February 1, 2026 12:04 PM To: TLS WG <[email protected]> Subject: [EXTERNAL] [TLS] PQC Continuity draft CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Hi, A few months ago, Tiru and I published a draft [1] whose goal is to minimize rollback attacks while the Internet is slowly migrating from classic to PQC (or composite) certificates. It seems that the TLS WG is now ready to turn its attention to PQ resistant signatures, and we would like to present the draft at the upcoming IETF-125. If anybody has had a chance to read the draft in the meantime, we would appreciate your feedback. People might also want to refer to the earlier discussion on this list [2]. Thanks, Yaron [1] https://datatracker.ietf.org/doc/draft-sheffer-tls-pqc-continuity/ [2] https://mailarchive.ietf.org/arch/msg/tls/qfmTs0dFq-79aJOkKysIP_3KhEI/
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
