On Fri, Mar 03, 2023 at 09:37:48PM +0100, Bas Westerbaan wrote: > > > > And of course, we really > > don't want to have to do major work on TLS 1.2, e.g. for Post-Quantum. > > > > More to the point, I'd say the post-quantum transition is the > natural moment to move from ≤1.2 to 1.3.
Agreed. > (TLS 1.2 and earlier are vulnerable to PQ -> classical downgrades > during the transition because of CurveSwap like attacks.) I would say that much more severe problem is that TLS 1.2 group shares are too small and the rest is not even close to how KEM operates. So one would need to pretty much redefine the entiere key exchange, which is not a good idea. Whereas TLS 1.3 group shares can be large enough, offering the trivial extension to post-quantum. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
