On Tue, Apr 15, 2025 at 07:30:25PM -0700, Eric Rescorla wrote:
> On Tue, Apr 15, 2025 at 7:02 PM Viktor Dukhovni <ietf-d...@dukhovni.org>
> wrote:
>
> > On Tue, Apr 15, 2025 at 01:55:35PM -0700, Andrey Jivsov wrote:
> >
> > > I don't think that standalone ML-DSA should be adopted.
> > >
> > > There is time to move to a non-hybrid X.509 and digital signatures in the
> > > future.
> > >
> > > This topic has implications to availability of X.509 certificates, as
> > > there is a real risk that CAs will prefer standalone ML-DSA to the
> > > exclusion of hybrids, and also that other protocols will be limited to
> > > standalone ML-DSA.
> >
> > But CAs do not choose EE keys, the key in the CSR is chosen by users.
> >
>
> Well, yes and no. CAs, at least in the WebPKI, will only sign keys that
> are allowed by the CABF Baseline Requirements (which, AFAICT, do
> not allow any PQ algorithms at present).
Yes, of course, CAs will only sign those user-requested keys that they
support, but it is still the user (be it a bot the user deployed in some
cases) that chooses the key algorithm, from the set of key algorithms
supported by the CA. Market demand and stable specifications will
determine whether/when CAs will support hybrid keys, and users will
then be able to request hybrid certificates. I don't see this adoption
call as a plausible barrier.
--
Viktor.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
