This version addresses comments from an extensive discussion on this list, as well as our learnings from a POC implementation [1].

Detailed changes:


* Certificate extension: indicate algorithm_validity_period only, not the algorithm. * Improved error handling. * More precise cache indexing. * Server certificates only, client certs moved out of scope. * Certificate chain: client MUST reject non-PQC or mixed chains when commitment applies. * Security Considerations: first-connection trust, cache churn / DoS. * Operational: CDNs; TLS-terminating intermediaries.


Thanks,
    Yaron

[1] https://github.com/yaronf/pqc-continuity-poc

-------- Forwarded Message --------
Subject: New Version Notification for draft-sheffer-tls-pqc-continuity-02.txt
Date:   Tue, 09 Jun 2026 03:40:15 -0700
From:   [email protected]
To: Tirumaleswar Reddy.K <[email protected]>, Tirumaleswar Reddy <[email protected]>, Yaron Sheffer <[email protected]>



A new version of Internet-Draft draft-sheffer-tls-pqc-continuity-02.txt has
been successfully submitted by Yaron Sheffer and posted to the
IETF repository.

Name: draft-sheffer-tls-pqc-continuity
Revision: 02
Title: PQC Continuity: Downgrade Protection for TLS Servers Migrating to PQC
Date: 2026-06-09
Group: Individual Submission
Pages: 14
URL: https://www.ietf.org/archive/id/draft-sheffer-tls-pqc-continuity-02.txt
Status: https://datatracker.ietf.org/doc/draft-sheffer-tls-pqc-continuity/
HTML: https://www.ietf.org/archive/id/draft-sheffer-tls-pqc-continuity-02.html HTMLized: https://datatracker.ietf.org/doc/html/draft-sheffer-tls-pqc-continuity Diff: https://author-tools.ietf.org/iddiff?url2=draft-sheffer-tls-pqc-continuity-02

Abstract:

As the Internet transitions toward post-quantum cryptography (PQC),
many TLS servers will continue supporting traditional certificates to
maintain compatibility with legacy clients. However, this
coexistence introduces a significant vulnerability: an undetected
rollback attack, where a malicious actor strips the PQC or composite
certificate and forces the use of a classical certificate once
quantum-capable adversaries exist.

To defend against this, this document defines a TLS extension that
allows a TLS client to cache a server's declared commitment to
present PQC or composite certificates for a specified duration. On
subsequent connections, the client enforces that cached commitment
and rejects traditional-only certificates that conflict with it.
This mechanism, inspired by HTTP Strict Transport Security (HSTS) but
operating at the TLS layer, provides PQC downgrade protection without
requiring changes to certificate authority (CA) infrastructure.



The IETF Secretariat


_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to