> From: Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> > Sent: Thursday, 1 April, 2021 10:09 > To: Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>; openssl-users@xxxxxxxxxxx > Subject: Re: Why does OpenSSL report google's certificate is "self-signed"? > > In general - I concur, but there are nuances: sending root CA cert is mostly > harmless, but mostly useless - except when there's a human on the receiving > end that can and is allowed to make a decision to accept and trust that CA > cert. Agreed. I tried to capture the summary of pros and cons in the document I'm writing for our customers. > Re. PQC - even the "smallest" among them are much larger than what the > Classic keys and signatures are. E.g., Falcon-1024 signature is 1330 bytes > (or often less - say, 1200 bytes). Falcon-1024 public key is 1793 bytes. > Compare to, e.g., ECC-384 sizes... NTRU public keys are "easier", but not by > that much: 1230 bytes. Kyber public key is 1568 bytes. And I picked the > *smallest* ones - those I'd consider using myself. > > There's also McEliece... Yeah, if NIST standardizes on Classic McEliece for KEM, that's going to give us some *big* keys. Certainly for resource-constrained applications, like embedded or high-volume, it makes sense to omit the root even with ECC. A few KB here and there will add up. -- Michael Wojcik