On Thu, Jun 25, 2026 at 8:19 PM Eric Rescorla <[email protected]> wrote:
> Hi folks, > > We now have a number of proposals for somehow using both PQ + T > signatures simultaneously for TLS. These include: > > - Dual Certificates: draft-yusef-tls-pqt-dual-certs > - Composite Certificates: draft-reddy-tls-composite-mldsa > - Multiple Certificate/CertificateVerify: > https://mailarchive.ietf.org/arch/msg/tls/dVj5I_s8Hj5s4Fzmbv73qac_Ftk/ > > It seems to me that all of these share the same basic intuition, > namely that it's more secure to use both PQ + T algorithms together > instead of individually. It's not clear to me whether all of these > approaches have the same security properties, but it seems likely that > with enough work they can be made to the deliver on the basic value > proposition of robust authentication as long as one of the algorithms > is strong [0]. > I don't see how dual certificates could be adjusted to be used in the case of a classical certificate for a legacy server where you'd want a classical leaf signature and a PQ CA signature. The obvious thing looses the distinction between that certificate and the legacy certificate meant for a legacy client, which leads to a downgrade. This is the same problem as with multiple certificate(verify) messages, where I discussed it in a bit more detail: https://mailarchive.ietf.org/arch/msg/tls/Rn7GHZGXnWv_TRxBpMkRXAYQ-wk/
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
