On 04/02/2025 14:10, Bas Westerbaan wrote:
I just sketched one with a signal in the certificate. You point out some valid deployment challenges, but they're far from disqualifying the approach from the start, and we should give the general direction a chance.Always worth exploring new directions, but this transition to PQ is really just a transition to treating TLS with classical crypto as equivalent to not using TLS at all. The lessons from the last 10 years of HTTPS adoption apply pretty much directly.
PQ HSTS (plus preload) is interesting and worthwhile for popular domains, but it can't carry the weight for the whole Internet, as it requires turning off classical crypto after the CRQC arrives. May I first challenge you to turn off plain HTTP in Firefox :)?
I don't think we're ever going to be able to turn off plain HTTP or classical crypto. We're just going to have scarier and scarier warnings according to the frequency with which we expect users to encounter them.
HSTS, or any other transition strategy, is about providing security for early adopters by preventing downgrade attacks. Late adopters get nudged by bad UX (broken padlocks, interstitials, etc) rather than any self-interest in cryptography or actively managing certificates.
_______________________________________________ TLS mailing list --tls@ietf.org To unsubscribe send an email totls-le...@ietf.org
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
