Hi Yaron and Tiru,

Thank you for the updates. Unfortunately, my comments are unaddressed. I am opposed to this draft until a crystal clear motivation is demonstrated.

On 09.06.26 13:09, Yaron Sheffer wrote:
This version addresses comments from an extensive discussion on this list, as well as our learnings from a POC implementation [1].

I have seen the diff. This version actually does not address my comments.

As others also commented before, what is so special about PQC here? I would really appreciate presenting the actual problem without PQC hype.

The following sentence seems to be the whole hypothesis of this draft:

   In such cases, adversaries could strip PQC or composite
   certificates, present only traditional ones, and conduct MitM attacks.

I find this single sentence insufficient. Please expand it and justify it precisely, preferably using a separate motivation section. Some questions to help you as a starting point:

1. What does "strip" actually mean in RFC8446bis sense?
2. If client and server negotiated that they will do PQC, then client
   will expect and should verify both T and PQ parts. If one of the
   parts is "stripped," why does the verification not fail? So how does
   this "stripping" remain undetected by the client?

These details are blocking the formal analysis work.

Best regards,

-Usama

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to