> Any TLS break delayed by more than 15 minutes would be worthless.

It sounds like you’re talking about breaking TLS’s key exchange? Why would this not have the usual issue of being able to decrypt recorded traffic at any time in the future?

Edit: If it’s because the plaintext isn’t useful, as knorker got at in a sibling comment… I sure hope we aren’t still using classical TLS by the time requiring it to be broken in 1 minute instead of 15 is considered a mitigation. Post-quantum TLS already exists and is being deployed…

The problem with key rotation as a defense is it is going to have to happen at EVERY level. You will have to rotate root CA keys at the same rate, or those could just be hacked, and your rotation won’t matter anymore.

> Any TLS break delayed by more than 15 minutes would be worthless.

What makes you say that? This is the store now decrypt later attack, and it's anything but worthless.

Oh, worthless for your oauth? Uh… but how do you bootstrap the trust? Sounds to me like you need post quantum to carry the whole thing anyway.

Or you mean one key signs the next? Ok, so your bet is that within the time window an RSA key, RSA can't be cracked?

Why in the world would anyone want to depend on that? Surely you will also pair it with PQ?