On Sat, Feb 7, 2026 at 1:12 PM Muhammad Usama Sardar < [email protected]> wrote:
> On 07.02.26 21:07, Eric Rescorla wrote: > > However, if the client successfully > connects to the server once with the PQ algorithm, then the client can > remember > that and in future insist on the server using P and thus prevent this kind > of attack. > > [I don't have a PQ model yet, this is just my intuition which may be > completely wrong] What I am failing to see is how remembering is better > than a simple solution: If the client is already convinced that traditional > signature algorithm T is weak and it only wants PQ signature algorithm P, > then it should simply not offer T in ClientHello. > The setting of interest is one where there is a large fraction of servers which do not support PQ algorithms. In this case, any client which rejects T will effectively be unable to communicate with those servers. This might be desirable if CRQCs are ubiquitous and attacks are cheap, but what about the case where CRQCs are very expensive or where it's unknown whether a CRQC even exists. In this case, it might be desirable to have clients insist on PQ algorithms for servers it knows support them, but fall back to non-PQ algorithms otherwise. You might find this post useful, as it goes into the situation in some more detail: https://educatedguesswork.org/posts/pq-emergency/#signature-algorithms -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
