@techreport{sheffer-tls-pqc-continuity-00,
    number =    {draft-sheffer-tls-pqc-continuity-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-sheffer-tls-pqc-continuity/00/},
    author =    {Yaron Sheffer and Tirumaleswar Reddy.K},
    title =     {{PQC Continuity: Downgrade Protection for TLS Servers Migrating to PQC}},
    pagetotal = 9,
    year =      2025,
    month =     oct,
    day =       18,
    abstract =  {As the Internet transitions toward post-quantum cryptography (PQC), many TLS servers will continue supporting traditional certificates to maintain compatibility with legacy clients. However, this coexistence introduces a significant vulnerability: an undetected rollback attack, where a malicious actor strips the PQC or Composite certificate and forces the use of a traditional certificate once quantum-capable adversaries exist. To defend against this, this document defines a TLS extension that allows a client to cache a server's declared commitment to present PQC or composite certificates for a specified duration. On subsequent connections, clients enforce that cached commitment and reject traditional-only certificates that conflict with it. This mechanism, inspired by HTTP Strict Transport Security (HSTS) but operating at the TLS layer provides PQC downgrade protection without requiring changes to certificate authority (CA) infrastructure.},
}