> An interesting point here. For the current approach – indeed, ephemeral KEX does not need PKI. > > However, consider AuthKEM proposal, and KEMTLS – while ephemeral keys > certainly won’t depend on PKI, the static ones will.
But you can't have the AuthKEM keys going all the way up the PKI, but need a signing key. I’m not sure I understand: certainly, you can have a CA-signed ML-KEM key, which is what we’re doing. (The fact that our CA will only do ML-DSA, is beside the point.) And at that point you might pick the right signature for the job at each level: big public key ok for root keys if it makes signatures smol. Intermediates have to be fairly balanced, but if you can elide, tradeoff similar. And signatures on ends need pretty quick verification. Please see above. If I misunderstood, please clarify. Thanks
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
