On Wed, Dec 13, 2023 at 10:29 AM Christian Huitema <huit...@huitema.net> wrote: <snip> > > Doing a PQ version of ECH would be hard. On the other hand, doing an > 8773-like enhancement to ECH should not be all that hard. It would > require that the outer CH contains a PSK shared between the client and > the fronting server, and then combining that PSK and a classic public > key to derive the key encrypting the inner CH.
Managing shared symmetric keys between clients and servers at scale is very much a "sufficient thrust" situation. An actually deployable version of this, without huge latency would be very tricky: would have to use tickets, have a way to hand them out, etc. ECH is of limited utility without this kind of scale. By contrast the PQ version "just" has key size issues to worry about with the DNS advertising bits and maybe some structures that get tight. Sincerely, Watson -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
