Hi Ilari,


Understood. We would need to look further at the interaction between PLANTS and PQC Continuity. Specifically,  we would need to understand the PLANTS trust model better before deciding how the commitment should apply in that case.


Thanks,

        Yaron


On 09/06/2026 22:03, Ilari Liusvaara wrote:
On Tue, Jun 09, 2026 at 09:45:07PM +0300, Yaron Sheffer wrote:
The AP (server, in this case) must be able to determine which
certificate/MTC and corresponding private key to use when
generating CertificateVerify. Therefore, the information needed to
act within its commitment must be available to the AP, even if it
is not explicit within the MTC.
This only determines the server key algorithm, not the certificate
signature algorithm. The two can differ, and the draft requires both to
be PQC.

The MTC certificate signature algorithm is implicitly determined
by the issuer. The AP would need some way to look up the algorithm by
issuer.

(Unless the AP does nasty hacks like assuming any signature that is
over 1kB is post-quantum.)


Similarly, the MTC is received by the RP (client, in this case) along
with a CertificateVerify that clarifies the nature of the
authentication. So the RP can determine if the server is acting
within its commitment.
It is not enough to do this (due to the above), but the RP knows the
algorithm for each issuers it trusts, so it can check if it is
allowed or not.




-Ilari

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to