Hi folks, We now have a number of proposals for somehow using both PQ + T signatures simultaneously for TLS. These include:
- Dual Certificates: draft-yusef-tls-pqt-dual-certs - Composite Certificates: draft-reddy-tls-composite-mldsa - Multiple Certificate/CertificateVerify: https://mailarchive.ietf.org/arch/msg/tls/dVj5I_s8Hj5s4Fzmbv73qac_Ftk/ It seems to me that all of these share the same basic intuition, namely that it's more secure to use both PQ + T algorithms together instead of individually. It's not clear to me whether all of these approaches have the same security properties, but it seems likely that with enough work they can be made to the deliver on the basic value proposition of robust authentication as long as one of the algorithms is strong [0]. To that end, rather than considering each of these ideas individually I would instead suggest that we do the following: 1. Form a WG opinion on whether we need to do simultaneous PQ + T at all. 2. Assuming the answer to (1) is yes then try to pick one approach for doing it. -Ekr [0] I'm ignoring for the moment the policy considerations that are required to make this work. Obviously, you don't get this value proposition if you simultaneously allow the weak algorithm on its own.
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
