On Mon, Feb 3, 2025 at 5:53 AM Dennis Jackson <ietf= 40dennis-jackson...@dmarc.ietf.org> wrote:
> On 01/02/2025 18:00, Eric Rescorla wrote: > > > 2. It allows clients to safely force the server to offer a PQ chain > > even if the client actually is type (3). Normally it wouldn't be > > safe to only advertise PQ algorithms in signature_algorithms, but > > if the server advertises a PQ TA, then the client can safely > > provide only that TA in the ClientHello while offering a wider set > > of TAs to other servers. This can also be used on the client > > side to measure PQ support on servers. > > I haven't seen this come up in discussion before, but I don't think this > is a meaningful use case. > > The type 3 clients don't get any additional security unless they can > enforce the use of PQ in future connections to that site. Otherwise, an > attacker can always force this client back to advertising and accepting > a traditional algorithm. The motivation here is not for security but rather for progressive rollout and/or measurement. Because TLS provides no mechanism for the server to tell the client what kind of certificates it has, the client has no way of measuring the successful deployment of PQ authentication short of restricting signature_algorithms. This will obviously cause breakage and so then requires some application-level retry logic. If servers advertise PQ support via TAI then clients can more safely require PQ chains, thus measuring success in practice both for the servers and for the client's network environment. This isn't a random sample of the population, obviously, but it's better than nothing. This requires some kind of active signal from > the server to the client, which the server is going to have to > consent+commit to anyway, so I don't think trying to mess around with > the Client Hello to coerce servers can deliver any benefit. I agree it doesn't deliver any security benefit. That's not the same as no benefit. > Also, I'm > not sure I can imagine a scenario where there's enough server-side PQ > support for type 4 clients to exist, but with some servers still > unwilling to send PQ signatures when offered. > The obvious case seems to be widespread but not universal PQ deployment and a good CRQC. -Ekr
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
