TLS alert mechanisms

[thomwiggers]

If the TLS server is not happy with pre-quantum algorithms, then it should simply send the "insufficient_security" alert defined in RFC 8446 and terminate the connection. Otherwise you're still establishing a TLS connection with bad security, which seems like the kind of thing that we got rid of when browsers stopped letting you just click through the "bad certificate" warnings.

[tireddy2]

Good point. Modified text as follows: When the server detects that the client doesn't support PQC or hybrid key exchange, it can send an 'insufficient_security' fatal alert to the client. The client can inform the end-users that the server they are trying to access requires a level of security that the client cannot provide due to the lack of PQC support. Furthermore, the client may log the event for diagnostic and security auditing purposes and report the security-related issue to the client development team.