Hi folks,

We now have a number of proposals for somehow using both PQ + T
signatures simultaneously for TLS. These include:

- Dual Certificates: draft-yusef-tls-pqt-dual-certs
- Composite Certificates: draft-reddy-tls-composite-mldsa
- Multiple Certificate/CertificateVerify:
https://mailarchive.ietf.org/arch/msg/tls/dVj5I_s8Hj5s4Fzmbv73qac_Ftk/

It seems to me that all of these share the same basic intuition,
namely that it's more secure to use both PQ + T algorithms together
instead of individually. It's not clear to me whether all of these
approaches have the same security properties, but it seems likely that
with enough work they can be made to the deliver on the basic value
proposition of robust authentication as long as one of the algorithms
is strong [0].

To that end, rather than considering each of these ideas individually
I would instead suggest that we do the following:

1. Form a WG opinion on whether we need to do simultaneous
   PQ + T at all.

2. Assuming the answer to (1) is yes then try to pick one
   approach for doing it.

-Ekr

[0] I'm ignoring for the moment the policy considerations that are
required to make this work. Obviously, you don't get this value
proposition if you simultaneously allow the weak algorithm on
its own.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to