On 07.02.26 21:07, Eric Rescorla wrote:
The way I would think about this is that suppose you have a server which has both a traditional signature algorithm T and a PQ algorithm P [0]. If an attacker has a a CRQC they can in principle attack connections between clients and the server bybreaking T and then impersonating the server.
Thanks for correction. That makes much more sense to me now.
However, if the client successfullyconnects to the server once with the PQ algorithm, then the client can remember that and in future insist on the server using P and thus prevent this kind of attack.
[I don't have a PQ model yet, this is just my intuition which may be completely wrong] What I am failing to see is how remembering is better than a simple solution: If the client is already convinced that traditional signature algorithm T is weak and it only wants PQ signature algorithm P, then it should simply not offer T in ClientHello. If by some means server is still able to force T, client should be able to catch it before sending ClientFinished by a mismatch in the expected transcript hash, no? Am I missing some subtlety of PQ here? If so, please correct me or point me to some section of some document that I should read to understand what I am proposing is not possible. The draft references a bunch of drafts from LAMPS but IMHO it should cite some relevant PQ drafts from TLS.
Thanks. -Usama
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
