On 04.02.26 08:59, John Mattsson wrote:
This draft seems to have very little to do with PQC. The mechanisms it describes apply equally well to any algorithm migration, such as moving from RSA‑1024 to RSA‑2048, from RSA to ECDSA, from ECDSA to ML‑DSA‑44, or from ML‑DSA‑44 to ML‑DSA‑65.
Do I understand the "downgrade attacks" correctly as follows: Let /W/ be the set of weaker algorithms and /S/ be the set of stronger algorithm.
1. Server establishes connection using one algorithm from /S/. 2. Server drops connection. 3. When client attempts re-connection, server pretends that algorithm /S/ is not supported, and only shows one from /W/ as the supported algorithm. If so, why can't the server just do step 3 on the initial connection? I think the problem statement, in particular paragraph [0], can be improved. -Usama[0] https://www.ietf.org/archive/id/draft-sheffer-tls-pqc-continuity-00.html#section-1-2
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
