On Mon, Feb 9, 2026 at 3:44 PM Eric Rescorla <[email protected]> wrote:
> Without taking a position on the merits of this idea generally, I would > like to observe > that it's not generally the case that people are individually deciding > whether to trust > non-PQ credentials or not. Rather, their software provider--in the Web > case, the > browser vendor--makes a global policy decision for their product. In some > cases, > users can of course change their configurations, but they generally don't. > > I don't think trust or lack thereof is strictly binary. There is a history of web browsers using various UI elements to inform the users about levels of "security" of the website. I suppose a reasonable PQC certificate migration process at some point could include visual warnings from the browsers when a website did not produce an acceptable PQC certificate and perhaps blocking users from entering sensitive information such as passwords or payment credentials - especially if a given website did produce an acceptable PQC certificate in the past. I am not sure if protocol level hints or commitments are needed. > -Ekr > > -yaroslav -- This communication (including any attachments) is intended for the sole use of the intended recipient and may contain confidential, non-public, and/or privileged material. Use, distribution, or reproduction of this communication by unintended recipients is not authorized. If you received this communication in error, please immediately notify the sender and then delete all copies of this communication from your system.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
