On Wed, Mar 22, 2023 at 01:54:22PM +0100, Bas Westerbaan wrote: > > > > Unpopular pages are much more likely to deploy a solution that > > doesn't require a parallel CA infrastructure and a cryptographer > > on staff.
I don't think the server-side deployment difficulties with this have anything to do with parallel CA infrastructure or admins having to understand cryptography. > CAs, TLS libraries, certbot, and browsers would need to make changes, > but I think we can deploy this without webservers or relying parties > having to make any changes if they're already using an ACME client > except upgrading their dependencies, which they would need to do > anyway to get plain X.509 PQ certs. I don't agree. I think deploying this is much much harder than deploying X.509 PQ certificates. X.509 PQ certificates are mostly dependency update. This looks to require some nontrivial configuration work that can not be done completely automatically. And then in present form, this could be extremely painful for ACME clients to implement (on level of complete rewrite for many). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
