On Mon, May 27, 2024 at 10:39:27PM +0200, Dennis Jackson wrote: > Hi Ryan, > > On 27/05/2024 19:23, Ryan Hurst wrote: > > I don't understand your position on the verifier, the faith one can put > > in the chain of signatures is only the faith appropriate for the weakest > > signature. As such if a classical key is used to sign a PQ chain, an > > attacker would go after the classical signature ignoring the others. > > That's not quite right. > > Let's imagine we have a leaf public key L1, a PQ Public Key M1 and a > Classical Public Key N1 and use <- to indicate 'signed by'. Consider the > certificate chains: > > (1) L1 <- M1 > > (2) N1 -> L1 <- M1 (N1 and M1 are both intermediates signing the same > leaf) > > (3) L1 <- M1 <- N1 (N1 cross-signs M1). > > Have we made things worse in (2) by adding a classical signature? No. Any > verifier that would output accept on (1), will also output accept on (2) > without even checking N1. So we cannot have made security worse for anyone > that would accept (1). The opposite is also true, anyone that would trust N1 > will not need to verify M1. So (2) strictly improves availability without > reducing security for anyone. (This was my proposed design in the initial > mail).
Except handling (2) is only SHOULD in TLS 1.3, and there are clients that don't implement that and blow up if presented with such "chain". Implementing such support is risky, because it makes certificate verification code much more complex, increasing probability of nasty security bugs (beyond just memory safety). Also, it makes the server Certificate message bigger, and that message is in the best place to hurt performance. Also, the incentives look to be very wicked. As long as clients keep accepting classical certificates, there is incentive to keep using those. And until CRQC exists, that does not even hurt security. That is worse than SHA-1 to SHA-2 transition, where there was really no difference beyond client support (and that could be negotiated, but server support was poor). And yet that transition took over a decade, really ending only because browsers stopped accepting SHA-1 certificates. -Ilari _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
