Your 3 steps are about one server, but the attack we are addressing has a malicious M pretending the be the server is Step 3.
And to your point: the discussion is similar to post-compromise security: we assume that most of the time, there is no MITM between the client and the server, and we want to protect subsequent connections between these two peers. You are right that there is no protection if the MITM persists between the client and server. Thanks, Yaron From: Muhammad Usama Sardar <[email protected]> Date: Thursday, 5 February 2026 at 0:47 To: John Mattsson <[email protected]> Cc: Yaron Sheffer <[email protected]>, TLS WG <[email protected]> Subject: Re: [TLS] Re: PQC Continuity draft On 04.02.26 08:59, John Mattsson wrote: This draft seems to have very little to do with PQC. The mechanisms it describes apply equally well to any algorithm migration, such as moving from RSA‑1024 to RSA‑2048, from RSA to ECDSA, from ECDSA to ML‑DSA‑44, or from ML‑DSA‑44 to ML‑DSA‑65. Do I understand the "downgrade attacks" correctly as follows: Let W be the set of weaker algorithms and S be the set of stronger algorithm. 1. Server establishes connection using one algorithm from S. 2. Server drops connection. 3. When client attempts re-connection, server pretends that algorithm S is not supported, and only shows one from W as the supported algorithm. If so, why can't the server just do step 3 on the initial connection? I think the problem statement, in particular paragraph [0], can be improved. -Usama [0] https://www.ietf.org/archive/id/draft-sheffer-tls-pqc-continuity-00.html#section-1-2
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
