[TLS] Server dual-chains in the period of PQ transition
Dmitry Belyavsky <beldmit@gmail.com> Wed, 06 August 2025 07:28 UTC
Return-Path: <beldmit@gmail.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 52EEB506F6DB; Wed, 6 Aug 2025 00:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXodWhtW7kuR; Wed, 6 Aug 2025 00:28:21 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 084D8506F6D6; Wed, 6 Aug 2025 00:28:21 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-3322bb2ac6eso50972611fa.0; Wed, 06 Aug 2025 00:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1754465299; x=1755070099; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=eQrrOmYfeKOx7+A8IbtYCj/iGj7ujBnfGaL/oAwZst4=; b=DOkNoGViNieLaQX7iJUFCvObCFV3IqhQgLgpsA7735s5Ph/IbT1eCqlX6z5n23vy04 lj1KNeGsG6VWR9t1/V+BGCN6czw4epWTFPSnFjVxXWOfBUokrwfQkOuVD10rXa+F7aP7 ZXbFMkWl+6cXpnBz3+Y1BEoe874LSLAqqbMUl+u9HsIUE1UqGxdouKGsrk2ZFuVGK/aH 3HR0+6aIHX50wUahXKRr88GguGDgk0YGiZV0ocv/VhIFi4BIJyv1b3DRzgCU6uKs+7zG jtG6E/VYQu+ZmG256r4jBCxDBOBjr/TeruYYvptVH2P2/qg7x6INtD/qMbP/ukmwBSwG 3pJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754465299; x=1755070099; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=eQrrOmYfeKOx7+A8IbtYCj/iGj7ujBnfGaL/oAwZst4=; b=jpvf1UlMkk28TGewzO3p93dr9IlENhrLOf2J9vmpaN4kwYdejRiS3M1MIbVB41+dn8 oZZEKD5tTKrbutXOvNQHn1Yhr7cvfawLZFDJeKl7268B09erTDp3aZWKZqZRaVEYGcF3 eloWUyw7umnzZNlmsRRJVT/Cx2nzvi5183o5pqYpIJZjZ7tVtOoGdEbV6xlKbuIrSeuD IW5RnO/lUVS/eKGdl6LwUNQgRTtoYqIcEDyQ2ylVbVcEdvrMZu3nOp27kOjmkU0hu/qF jJ+NHngQK9FRMgQY+u5Q61pRNU1l50ji0S21gKqcKlp75oQ3/Kx53vniZ2X+JsBd7yLL e+sQ==
X-Forwarded-Encrypted: i=1; AJvYcCXqBnYRgLGcYGZT2R0ZOGmIjB//xI5Gu93o3IUS6kYT5Dttozq0eAbn9J3X4zgqe5Y9t/g=@ietf.org
X-Gm-Message-State: AOJu0YwpSmOH2H3RWGFiAokVrhRnhkxCV8ySaKX7SbVWlhM+KWS4G+SU zf0KiyiUFZqaFVP28WcjjN/l52U5TJyhuD6Au/zhZIBhVli2y4U5tES1i0hIhgRqSdojZGTmkGz ZTs0ZZcrQPMsAYSfT8aTC0zd1WHytWMckLA==
X-Gm-Gg: ASbGncuotHUVKRxUj3iCEZjDRj2M6zay9MM/LNB4lNuEdeJbZgMCz9I1Y1eTkjuA2t/ 3pcwvBgUDmsrCuoV053rq9RuyGSJShXorkvbHVNrs8E5RyRD3BdIqf9GqpnCHt4kpqZG7/MG5st 0xyCmOClXfzYf803ohK7nkysuuu/wwBh1Tu0rbe7nzHsjIsb1p0rK/nL2xZPdq5vhb63sBMRPpw hLs
X-Google-Smtp-Source: AGHT+IHY/j1xBHY4FDNDaAK9BiF5Wxn9Iao1Ie5KZSy91RCCGI3d35me6AwI81sowIqZkCLcl0fdRhZDtpJQNl3JSis=
X-Received: by 2002:a2e:b802:0:b0:32b:9418:6051 with SMTP id 38308e7fff4ca-333813df6d0mr4831321fa.23.1754465298904; Wed, 06 Aug 2025 00:28:18 -0700 (PDT)
MIME-Version: 1.0
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Wed, 06 Aug 2025 09:28:07 +0200
X-Gm-Features: Ac12FXwn8SebdAbVY7EbT5MvkWdqIFWJ146sLksTIRT1s4lAeaSjegxP8znp2wo
Message-ID: <CADqLbz+ePjeXnnPkt9Argm+DkOyOV=fjQrD8Bu9gujESSc1K9g@mail.gmail.com>
To: TLS Mailing List <tls@ietf.org>, pqc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: AY6ZG5S6AODVEVXXUR7MA7AF4ZGFSGTI
X-Message-ID-Hash: AY6ZG5S6AODVEVXXUR7MA7AF4ZGFSGTI
X-MailFrom: beldmit@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Server dual-chains in the period of PQ transition
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/egix0sZLKfySn_cKPQbVJMZsiwU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Dear colleagues, We came across the following scenario: Server has 2 cert chains, PQ and classical, and prefers PQ. A client doesn't have any PQ CAs configured, but at the handshake sends PQ sigalgs among others. The server replies with the PQ chain, the client can't verify it, and the connection can't be established. We've discussed it and see the following scenarios: 1. Consider it to be a client misconfiguration. To prevent this from happening, the client is better not to send PQ algos in sigalgs. To not send PQ algos, clients should scan CAs and stop sending PQ algos if no PQ CAs are available. 2. "Smart" clients (e.g. web browsers) should implement fallback from PQ to classical algorithms if PQ connection can't be established. I vaguely recollect that there were browsers downgrading the protocol from TLS 1.3 to TLS 1.2 (and may be lower) at least several years ago but couldn't find the description of this behavior. 3. Cross-signing PQ certs with classic crypto algorithms, as it happened before. It ensures the best client experience. The downside of this behavior is that we have to sign a stronger cert with a weaker CA, and personally I suspect some browsers forbid such chains. Are there any other scenarios we are missing? Is this topic relevant for TLS, PQUIP, or some other community (e.g. CA/Browser forum)? -- SY, Dmitry Belyavsky
- [TLS] Server dual-chains in the period of PQ tran… Dmitry Belyavsky
- [TLS] Re: [Pqc] Server dual-chains in the period … Thom Wiggers
- [TLS] Re: [Pqc] Server dual-chains in the period … Dmitry Belyavsky
- [TLS] Re: [Pqc] Server dual-chains in the period … Bas Westerbaan
- [TLS] Re: Server dual-chains in the period of PQ … Viktor Dukhovni
- [TLS] Re: Server dual-chains in the period of PQ … Dmitry Belyavsky
- [TLS] Re: Server dual-chains in the period of PQ … Viktor Dukhovni
- [TLS] Re: Server dual-chains in the period of PQ … Eric Rescorla
- [TLS] Re: Server dual-chains in the period of PQ … Salz, Rich
- [TLS] Re: Server dual-chains in the period of PQ … Viktor Dukhovni
- [TLS] Re: Server dual-chains in the period of PQ … Salz, Rich
- [TLS] Re: Server dual-chains in the period of PQ … Viktor Dukhovni
- [TLS] Re: Server dual-chains in the period of PQ … Wang Guilin
- [TLS] Re: Server dual-chains in the period of PQ … Eric Rescorla
- [TLS] Re: Server dual-chains in the period of PQ … Robert Relyea