On Tue, Aug 30, 2022 at 02:11:57PM +0200, Bas Westerbaan wrote: > For TLS on the Web it would be ideal if we can find a single[1] hybrid > which we can all be happy with because that will make keyshare > negotiation easier.
I don't suppose that will happen, as: - Some folks want something with P384 classical part. - Some folks do not want P384 classical part. - Some folks do not want Kyber768, as it does not fit into MTU. > The PQ hybrid situation is more painful. Suppose we end up with two > essentially equivalent hybrids, say P-256+Kyber768 and > X25519+Kyber768, and different servers have a different preference. > Then clients are forced to either send both keyshares or suffer an > HRR. And without compression (which is not trivial to implement), sending both uses quite a bit of space... > Of course, we can change the server logic, but it isn't simple. I think there could be some guidance on server logic. And one another thing would be adding group hint to SVCB/HTTPS. However, this would run into trouble with downgrade attacks. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
