Thanks for the detailed reply. On the last point about downgrade, I need to 
think further.

> >> 1. Classical cert for legacy client. This will be a fully classical chain 
> >> that will never be accepted by a client supporting PQ.

>> I am not quite agree on this: This depends. In transmission period (say now 
>> - 2030.12.31), a client supporting PQ may still accept a legacy client with 
>> fully classical chains.

> I am confused. Perhaps there is a typo in your sentence.

I mean a client/server B supporting PQ may still accept a legacy client A with 
fully classical chains, in transmission period (say now - 2030.12.31). Here is 
an imaginary example:

- now - 2027: A just has a classical cert (i.e a classic key with a classic 
chains). B has a
classical cert and a PQ cert. But accordingly to its security policy, B still 
accepts A's authentication using classic signatures.

- 2028- 2029: B's security policy will be updated, so B cannot accept A's 
authentication only using classic signatures anymore. But A can autheticate 
itself to B by using A's classic signatures and PSK, OR PQ signatures.

- From 2030: A must use PQ signatures to authenticate itself to B.

===

So, as what I understand now, the ability of signing and/or verifying is also a 
conern. Therefore, for a case like TLS client and server communicate with each 
other using their cert, at least there levels of capability should be taken 
into consideration:

1) It has classic or PQ key certified by a cert.

2) It's cert is signed by a CA using a classic or PQ key.

3) It can sign and/or verify PQ signatures, or not.

As both sides are symmetric, there will be a number of combinations.

Guilin

发件人:Bas Westerbaan 
<[email protected]<mailto:[email protected]>>
收件人:Wang Guilin <[email protected]<mailto:[email protected]>>
抄 送:Eric Rescorla <[email protected]<mailto:[email protected]>>; 
<[email protected]<mailto:[email protected]>>;Wang Guilin 
<[email protected]<mailto:[email protected]>>
时 间:2026-06-29 05:55:05
主 题:Re: [TLS] Re: Upleveling on PQ + T signatures for TLS


When talking about certificates or certificate chains, there are at least two 
concepts very related: the user's public key certified by its cert, and the 
CA's public key/algorithm used to sign a cert.

It seems naturally to think that a legacy client means a client whose cert is 
certified by a CA using a classical algorithm for the user's
classical public key. I will assume this to understand your thoughts.

Not quite: with legacy server/client I mean a server/client that have not (been 
able to) receive an update. Hence, for server authentication, a legacy client 
doesn't know how to verify a PQ signature and a legacy server doesn't know how 
to sign with a PQ key.

 [But if a CA signs a client's classic public key by a PQ or hydbrid signature, 
is such a client still called a legacy client?

Given we're talking about server authentication I think your question would be 
"But if a CA signs a [server]'s classic public key by a PQ or hydbrid 
signature, is such a [server] still called a legacy [server]?"

To which my answer is emphatically: yes! You can install a classical leaf with 
a PQ chain on a legacy server. There might be a problem if the server software 
tries to check the chain, but not all do. And if it turns out to be common, we 
could hide the PQ chain somewhere in an extension or the like. In any case, the 
point is that a PQ client can still gain a PQ secure signal that the server is 
indeed legacy.

Also, is it just silly or must be technically prohibited to sign a client's PQ 
key by a CA using classic signtaure? ]

I have not formed an opinion here.

> 1. Classical cert for legacy client. This will be a fully classical chain 
> that will never be accepted by a client supporting PQ.

I am not quite agree on this: This depends. In transmission period (say now - 
2030.12.31), a client supporting PQ may still accept a legacy client with fully 
classical chains.

I am confused. Perhaps there is a typo in your sentence.

> 2. Classical cert for legacy server. This is to provision at servers that are 
> not able to sign with PQ. Its chain and CT-cosignatures will be PQ. The
distinction between 1 and 2 is very important. A server operator that knows its 
server supports PQ has no need for 2, and thus would sound the alarm if it sees 
chain 2 appear in CT for its domain. Also thanks to the PQ chain, creating 
chain 2 when not requested requires misissuance by a CA.

An interesting difference. But such a server is not a real legacy server, as 
its chain and CT-cosignatures are signed by PQ, though it still uses classic 
algorithm to sign.

See above.

> Certainly the upgraded server shouldn't combine 2 with anything, as that 2 
> allows for downgrades.

Did not see real downgrades. Hope I did not  misunderstand your point here.

If you do not make the distinction between a legacy certificate for a legacy 
client and one for a legacy server, then there is indeed a downgrade. This is 
because upgraded clients need to accept some classical certificate of a legacy 
server. If that is the same as the classical certificate for a legacy client, 
then its existence doesn't raise alarms as it should.

Best,

 Bas
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to