> > And of course, we really > don't want to have to do major work on TLS 1.2, e.g. for Post-Quantum. >
More to the point, I'd say the post-quantum transition is the natural moment to move from ≤1.2 to 1.3. (TLS 1.2 and earlier are vulnerable to PQ -> classical downgrades during the transition because of CurveSwap like attacks.)
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
