On Thu, Jun 25, 2026 at 8:19 PM Eric Rescorla <[email protected]> wrote:

> Hi folks,
>
> We now have a number of proposals for somehow using both PQ + T
> signatures simultaneously for TLS. These include:
>
> - Dual Certificates: draft-yusef-tls-pqt-dual-certs
> - Composite Certificates: draft-reddy-tls-composite-mldsa
> - Multiple Certificate/CertificateVerify:
> https://mailarchive.ietf.org/arch/msg/tls/dVj5I_s8Hj5s4Fzmbv73qac_Ftk/
>
> It seems to me that all of these share the same basic intuition,
> namely that it's more secure to use both PQ + T algorithms together
> instead of individually. It's not clear to me whether all of these
> approaches have the same security properties, but it seems likely that
> with enough work they can be made to the deliver on the basic value
> proposition of robust authentication as long as one of the algorithms
> is strong [0].
>

I don't see how dual certificates could be adjusted to be used in the case
of a classical certificate for a legacy server where you'd want a classical
leaf signature and a PQ CA signature. The obvious thing looses the
distinction between that certificate and the legacy certificate meant for a
legacy client, which leads to a downgrade. This is the same problem as with
multiple certificate(verify) messages, where I discussed it in a bit more
detail:
https://mailarchive.ietf.org/arch/msg/tls/Rn7GHZGXnWv_TRxBpMkRXAYQ-wk/
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to