> [ regarding encryption vs. signatures: ] >> There’s no damage possible (at least, in the TLS context) caused by PQ >> DSA break > > Not true. I already explained what's wrong with this argument: > https://mailarchive.ietf.org/arch/msg/tls/77uUYhGJYNVQIp9heMY9bkbKbaA/ > <https://mailarchive.ietf.org/arch/msg/tls/77uUYhGJYNVQIp9heMY9bkbKbaA/>
Sorry, I can’t accept the answer you’re giving. Your argument basically is comprised of two parts: 1. If a PQ DSA break happens, reverting back to ECC would take time, and 2. A PQ attack may not come to public attention (for some time?), leaving people with (only) PQ vulnerable. To (1) – then don’t move to PQ DSA until either CRQC is announced, or you’re certain “enough” (in whatever is your definition of “enough”) that PQ DSA is strong/resilient “enough”. To (2) – what makes you think there’s no ECC attack that simply hasn’t been announced yet? Perhaps, your whole reliance on ECC is misplaced?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
