On Thu, May 28, 2026, at 08:19, Nico Williams wrote: > I think perhaps I am making too much of the problem in the signature > case. Just be ready to switch to PQ PKIs and do it when a CRQC appears, > and otherwise take your time switching. The biggest problem here lies > in agile trust root management <--- this is hard to do.
That's just it. Some people are rightly concerned that the deployment phase of the switch is slow. That leaves some risk of exposure at the point that a CRQC is developed, as we struggle with rollout of a response. On the other hand, we know how to revoke trust anchors in a hurry. On that basis, it might be reasonable to say that some risk of compromise from a classical computer is justified if we can be in a position to move quickly when the rumors of there being a CRQC hit the tipping point. In light of that, a hybrid scheme as a means of mitigating the near-term risks of rollout, even if the classical part of the hybrid only ends up as baggage once the CRQC exists. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
