On Tue, Jun 09, 2026 at 09:45:07PM +0300, Yaron Sheffer wrote:
>
> The AP (server, in this case) must be able to determine which
> certificate/MTC and corresponding private key to use when
> generating CertificateVerify. Therefore, the information needed to
> act within its commitment must be available to the AP, even if it
> is not explicit within the MTC.

This only determines the server key algorithm, not the certificate
signature algorithm. The two can differ, and the draft requires both to
be PQC.

The MTC certificate signature algorithm is implicitly determined
by the issuer. The AP would need some way to look up the algorithm by
issuer.

(Unless the AP does nasty hacks like assuming any signature that is
over 1kB is post-quantum.)


> Similarly, the MTC is received by the RP (client, in this case) along
> with a CertificateVerify that clarifies the nature of the
> authentication. So the RP can determine if the server is acting
> within its commitment.

It is not enough to do this (due to the above), but the RP knows the
algorithm for each issuers it trusts, so it can check if it is
allowed or not.




-Ilari

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to