Why does OpenSSL report google's certificate is "self-signed"?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 31 18:14:15 UTC 2021

> On Mar 31, 2021, at 2:01 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> For a Web GUI with the user at the console (e.g., a Web browser), it might be OK. 
> For my needs (devices talking to each other over austere links), sending the root CA very is both useless and wasteful. One you factor in the sizes of Post-Quantum keys and signatures - you’ll start disliking this idea even more. 

There's no urgency in post-quantum keys for CA signatures in TLS.  Their
future weakness does not compromise today's traffic.  Until actual scalable
QCs start cracking RSA and ECDSA in near real-time only the ephemeral key
agreement algorithm needs to be PQ-resistant now to future-proof session

So certificates can continue to use RSA and ECDSA for quite some time.


More information about the openssl-users mailing list