> > I'm not sure I would agree that a 3-8 MB handshake to preserve the status > quo is exactly low hanging fruit. >
If we use Dilithium2 for every signature, we're looking at about 17kB extra — not 3-8MB. ICA suppression removes one public key and signature, so 3.7kB. This is where looking to see what can be done to remove the necessity of > those SCTs and OCSPs, rather than trying to patch them into a PQ world. > If Rainbow or GeMMS doesn't make the cut, then replacing SCTs by inclusion proofs (to some daily picked side-loaded STHs) could be interesting (as they're ~1kB each), but that's not low hanging fruit. > The viability of CT itself becomes more suspect in a world of ginormous > signatures, > Dilithium2 and Falcon signatures+public keys are 2.4+1.3kB and 666+897B respectively. That won't cause trouble for CT. Best, Bas
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
