|
Hi Ilari,
Understood. We would need to look further at the interaction between PLANTS and PQC Continuity. Specifically, we would need to understand the PLANTS trust model better before deciding how the commitment should apply in that case.
Thanks, Yaron
On 09/06/2026 22:03, Ilari Liusvaara
wrote:
On Tue, Jun 09, 2026 at 09:45:07PM +0300, Yaron Sheffer wrote:The AP (server, in this case) must be able to determine which certificate/MTC and corresponding private key to use when generating CertificateVerify. Therefore, the information needed to act within its commitment must be available to the AP, even if it is not explicit within the MTC.This only determines the server key algorithm, not the certificate signature algorithm. The two can differ, and the draft requires both to be PQC.The MTC certificate signature algorithm is implicitly determined by the issuer. The AP would need some way to look up the algorithm by issuer. (Unless the AP does nasty hacks like assuming any signature that is over 1kB is post-quantum.)Similarly, the MTC is received by the RP (client, in this case) along with a CertificateVerify that clarifies the nature of the authentication. So the RP can determine if the server is acting within its commitment.It is not enough to do this (due to the above), but the RP knows the algorithm for each issuers it trusts, so it can check if it is allowed or not. -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected] |
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
