On Tue, Jun 09, 2026 at 09:45:07PM +0300, Yaron Sheffer wrote: > > The AP (server, in this case) must be able to determine which > certificate/MTC and corresponding private key to use when > generating CertificateVerify. Therefore, the information needed to > act within its commitment must be available to the AP, even if it > is not explicit within the MTC.
This only determines the server key algorithm, not the certificate signature algorithm. The two can differ, and the draft requires both to be PQC. The MTC certificate signature algorithm is implicitly determined by the issuer. The AP would need some way to look up the algorithm by issuer. (Unless the AP does nasty hacks like assuming any signature that is over 1kB is post-quantum.) > Similarly, the MTC is received by the RP (client, in this case) along > with a CertificateVerify that clarifies the nature of the > authentication. So the RP can determine if the server is acting > within its commitment. It is not enough to do this (due to the above), but the RP knows the algorithm for each issuers it trusts, so it can check if it is allowed or not. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
