Comment Re: Mac OS has already started to pester me (Score 1) 55
Sure, it is not a big problem for SSH. It is a problem when you connect to a web site, especially as certificate lifetimes get shorter: you need the whole certificate chain from a root (that your browser trusts) to the web server, which means at least two public keys and signatures and often more.
The NIST-approved post-quantum options and PK/sig sizes (in bytes, for "security level 1", which is the lowest) are Crystals Dilithium 2 (1312 / 2420), Falcon-512 (897 / 666 but computationally expensive) or SPHINCS+-SHA2-128s (32 / 7856 for the smaller but more computationally expensive signatures; same for SPHINCS+-SHAKE-128s). This compares to 32/64 or 64/48 bytes for 256-bit ECC algorithms and 256/256 bytes for 2048-bit RSA. If you are fetching a few kilobytes of text or CSS, this additional overhead is huge.