IETF Logo Mail Archive

[TLS] Re: PQC Continuity draft

Yaroslav Rosomakho <yrosomakho@zscaler.com> Mon, 09 February 2026 20:16 UTC

Return-Path: <yrosomakho@zscaler.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B44FDB4484A9 for <tls@mail2.ietf.org>; Mon, 9 Feb 2026 12:16:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=zscaler.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4x2hWvFGht7y for <tls@mail2.ietf.org>; Mon, 9 Feb 2026 12:16:15 -0800 (PST)
Received: from mail-dy1-x1336.google.com (mail-dy1-x1336.google.com [IPv6:2607:f8b0:4864:20::1336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4F3B4B4484A2 for <tls@ietf.org>; Mon, 9 Feb 2026 12:16:15 -0800 (PST)
Received: by mail-dy1-x1336.google.com with SMTP id 5a478bee46e88-2b8675d4f93so1948111eec.0 for <tls@ietf.org>; Mon, 09 Feb 2026 12:16:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1770668174; cv=none; d=google.com; s=arc-20240605; b=gbOrzLiMhy+lbyTPUaIk1XzAx7nf+s1pWRcgZmIB6KiNLWz6Vnf43P12mE+MokEg9p lAPLkf1J/8pIatH4frSnSJnAFGIygyWJOUxRLhQTIlMMMhZk93i+QabY9m9tTMmxuZOS 8NbtD5YX5tJ7vO4oWCb21AEa4InC4gkyTUhQvwRBAb3uUhsj62RIIzhO1eAei0WiFknV yMgsb9PHC36+SGdQkb4F04ecxcrwV9DToMyRiEo69i/DucXsgTXi3rqA39g7rlEiSkcQ BJpLLmJAq6Y3rQoELOEOHH9Sg24qFtX+BFHoFhjmtYcsvGrifMQDSuRkQiW9uiNuFR/N KjUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=1H4kwEaETOOVZ8475EBLqrIX2CU2KQqyQtsvKmJ5N9A=; fh=SrpPGmGOL1Z6Ul9+nI8/2Q23R4etv0ccf+kdDtGwvoQ=; b=REqEwN3/tFBNOVH8Q4S6gHzMfeOTDZiKpk1Ry9omd8yiPNuicOWnkDymbOT8IS0Bwa UqPDDmfI1xOnnTPLPxBGurvFgZUjeGLdE63Cjrn37VIX/SOEVAAPDNt7coht3+olYq2a 4a8Y3zT9tRinHcTdqFG0ihC0R+WzoRVl8xv9VmOXE51sYDQi0owlp4hMZ0mD98sKV1wr 0u7GMT6Is0ksLmPnoBNOYQZIBdgVMmah+b2/htK4cAjpNe3TqXDRoP9L2luyrHQA+xvc PMVtPB5w4qf1mnrJlHff1pSqY6w3YBOjwNK0aU17lM7QHGDTIJugJ0287ELMyE6O9wuV fN0Q==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zscaler.com; s=google; t=1770668174; x=1771272974; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1H4kwEaETOOVZ8475EBLqrIX2CU2KQqyQtsvKmJ5N9A=; b=KUWd20ncOjU9PBUkTWaHbJNJmzkS4zrGg0+crPSnXQmfwaOtm1vJCYdHMWrL4wDVIx hMFQRp1btAlnZKXhyGS/ESuocizvPpsGIU+U8TlbiWloONsseH2RWgnh9FaFREcHeZC/ ZoRZqgbmxTvOs65o45FPYz8pENV6dXhwlRM1U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770668174; x=1771272974; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=1H4kwEaETOOVZ8475EBLqrIX2CU2KQqyQtsvKmJ5N9A=; b=BFFY0b3CJ/bMN7dLCzTHLXmXsK4uAsu3KpBF+WsI60eyTzQZ42qfj5CJ2yiCiI38Js vkEVPP/QlFUGspiF0YrNqoNwg7U554ZIDYdCGpFoAgCKjCRnTkJw2LnFGXfSSARRVX0c /B1rggqXCZgJDrp4dLd54Fi5hDBmrwfU6r4E6mNUFSrGf/OaFQb3hqOm/p9aD+6M4prQ ddCPjpnQ6BrowtL6EPXtAZGq0HaPMAZa/U1IQ15hTCaIy8e4Yzz90U0nKnOfltszNUs2 lWDyOl5Ripmvbpgxk1hundmAYiTQRVWqKKpfK5rWLSIq8Meu/Yz5dHM1C9ckldf39cX3 TiCg==
X-Forwarded-Encrypted: i=1; AJvYcCV3JSdnLWjefecG2R4K37nT5ugCuBfmEQ4hbBHiljy3KGBdVjfZODzRMMBR/uYeF8E3HsI=@ietf.org
X-Gm-Message-State: AOJu0YwuBdWQaSuTFM7aO7wRy7Qc57Nh2hof4e5ajh7Udrk0dIxKsWSA JVBh02y0kYnNm9/T10zsFQb0xnni+R9EdEZ4yr7Jj+wL0jvAspsN3znQNO6CVShs4RCZP1+MNR9 I7Qax0snNR48tsP5zE6sfdqvIdIwRVUZNYW/Yk7rXAJP7oOCkwT3NzHyOD5Q/58ve7VGmP382wz c9nSixdh88eP4=
X-Gm-Gg: AZuq6aJL/jQADVet8Zpcog04z8iJdZgbfKBs0VdjfLSn6g39GMjmc5QL2kQDboNHWPo Det/OW7S1ffc/nmTwErPi5NGFkxiak1Bn3Y1EIQ54C8LS8WylRDCx42HgPWAXHLarDXOQPyCKiq ZAEbkWM3IPz1nAjwQ5Rcp5PR+70mIrbahrtxhWfieXfBSdncUHM/5rViO98ekvMXJeD3UESebY6 562kepebXBlJFMZweWwjwrBTl4QX/Irr1JJT5LZUnH2r9s6FN11+j505WhkIXflXd3Mlh/f
X-Received: by 2002:a05:7300:e80a:b0:2b7:1d38:3596 with SMTP id 5a478bee46e88-2b856463dd4mr4648483eec.4.1770668174060; Mon, 09 Feb 2026 12:16:14 -0800 (PST)
MIME-Version: 1.0
References: <FRWP195MB2764043A4C7B03B8145A455FA99DA@FRWP195MB2764.EURP195.PROD.OUTLOOK.COM> <CABcZeBNHFEnK58cr-QPqmLeiwGmzgqm36HR7VWYFJxvw91ii5w@mail.gmail.com> <fb9e7f1e-7693-434d-9d22-cdd8b32b3576@tu-dresden.de> <CABcZeBMmo8=pb9O_49Et=dnzejUTLeHNfhEnxtpvBcZGbsBr8Q@mail.gmail.com> <24b4279a-0293-4b01-9ad8-fad4893488a5@tu-dresden.de> <CABcZeBNPdHTWhotcS1Qk_k_vnvD5-iq=u-=hHR22u2D1y+qf3Q@mail.gmail.com> <d405af39-95f1-4fb9-8f17-e8a41a748e36@tu-dresden.de> <CABcZeBN17_uEux5mOwsr2ZpzrFNozgTJNX6cdOzHP58hpNwLRA@mail.gmail.com> <b0de82b0-0c80-4be8-b073-1ca24a41079b@tu-dresden.de> <CABcZeBPLApRTWvokaT9tobJZ+Mk5tk=L=0yRWkNHdTAGti=i-Q@mail.gmail.com> <CAPeSryozAnjNFi+0G+u90qNzm-1-nceKe9=O8=zWXsirL3TOiQ@mail.gmail.com> <PH3PPFA3FE8A23FBF8B87DF4239A0667A03C165A@PH3PPFA3FE8A23F.namprd11.prod.outlook.com> <CABcZeBORC4fFLH9sBUSqWgv-Jis7_zO4RCbp7dCtCVjh_q36zw@mail.gmail.com>
In-Reply-To: <CABcZeBORC4fFLH9sBUSqWgv-Jis7_zO4RCbp7dCtCVjh_q36zw@mail.gmail.com>
From: Yaroslav Rosomakho <yrosomakho@zscaler.com>
Date: Mon, 09 Feb 2026 20:16:02 +0000
X-Gm-Features: AZwV_QiDSVR5LBAyx27eIz_j2FiE8C159Wg_--jewUFPx0kB2HEddjdOcoHpn0A
Message-ID: <CAMtubr3JptvZ818kQfnqhjX4mLgwdYv8UpGOfaDZK5j57ASU_g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="00000000000087d1d5064a69cfd7"
Message-ID-Hash: 5DNB7ZHNUIEYXH56BXGQSXTE5J7OFDGZ
X-Message-ID-Hash: 5DNB7ZHNUIEYXH56BXGQSXTE5J7OFDGZ
X-MailFrom: yrosomakho@zscaler.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Felix Linker <linkerfelix@gmail.com>, TLS WG <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: PQC Continuity draft
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/cmJCj0s9dgw6DFpHOxz3OF7ERWM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Mon, Feb 9, 2026 at 3:44 PM Eric Rescorla <ekr@rtfm.com> wrote:

> Without taking a position on the merits of this idea generally, I would
> like to observe
> that it's not generally the case that people are individually deciding
> whether to trust
> non-PQ credentials or not. Rather, their software provider--in the Web
> case, the
> browser vendor--makes a global policy decision for their product. In some
> cases,
> users can of course change their configurations, but they generally don't.
>
>
I don't think trust or lack thereof is strictly binary. There is a history
of web browsers using various UI elements to inform the users about levels
of "security" of the website.
I suppose a reasonable PQC certificate migration process at some point
could include visual warnings from the browsers when a website did not
produce an acceptable PQC certificate and perhaps blocking users from
entering sensitive information such as passwords or payment credentials -
especially if a given website did produce an acceptable PQC certificate in
the past.

I am not sure if protocol level hints or commitments are needed.


> -Ekr
>
>

-yaroslav

-- 


This communication (including any attachments) is intended for the sole 
use of the intended recipient and may contain confidential, non-public, 
and/or privileged material. Use, distribution, or reproduction of this 
communication by unintended recipients is not authorized. If you received 
this communication in error, please immediately notify the sender and then 
delete all copies of this communication from your system.

v2.39.1 | Report a Bug | By Email | System Status