Use of the ML-DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)
draft-ietf-lamps-cms-ml-dsa-07

[Ballot comment]
Section 5, paragraph 1
>    If ML-DSA signing is implemented in a hardware device such as
>    hardware security module (HSM) or portable cryptographic token,
>    implementers might want to avoid sending the full content to the
>    device for performance reasons.  By including signed attributes,
>    which necessarily include the message-digest attribute and the
>    content-type attribute as described in Section 5.3 of [RFC5652], the
>    much smaller set of signed attributes are sent to the device for
>    signing.
>
>    Additionally, the pure variant of ML-DSA does support a form of pre-
>    hash via external calculation of the mu "message representative"
>    value described in Section 6.2 of [FIPS204].  This value may
>    "optionally be computed in a different cryptographic module" and
>    supplied to the hardware device, rather than requiring the entire
>    message to be transmitted.  Appendix D of
>    [I-D.ietf-lamps-dilithium-certificates] describes use of external mu
>    calculations in further detail.

I am happy to see that the authors decided to include an Operational Considerations section. Thanks for doing that.

Possible DOWNREF from this Standards Track doc to [CSOR]. If so, the IESG needs
to approve it.

Possible DOWNREF from this Standards Track doc to [FIPS204]. If so, the IESG
needs to approve it.

Found terminology that should be reviewed for inclusivity; see
https://www.rfc-editor.org/part2/#inclusive_language for background and more
guidance:

* Term "traditional"; alternatives might be "classic", "classical", "common",
  "conventional", "customary", "fixed", "habitual", "historic",
  "long-established", "popular", "prescribed", "regular", "rooted",
  "time-honored", "universal", "widely used", "widespread"

-------------------------------------------------------------------------------
NIT
-------------------------------------------------------------------------------

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

Section 2, paragraph 0
>    Many ASN.1 data structure types use the AlgorithmIdentifier type to
>    identify cryptographic algorithms. in the CMS, AlgorithmIdentifiers
>    are used to identify ML-DSA signatures in the signed-data content
>    type.  They may also appear in X.509 certificates used to verify
>    those signatures.  The same AlgorithmIdentifiers are used to identify
>    ML-DSA public keys and signature algorithms.
>    [I-D.ietf-lamps-dilithium-certificates] describes the use of ML-DSA
>    in X.509 certificates.  The AlgorithmIdentifier type is defined as
>    follows:


s/in the CMS/In the CMS/

These URLs in the document did not return content:

* https://www.ietf.org/mailman/listinfo/spasm/
* https://doi.org/10.6028/nist.fips.180

Section 1, paragraph 1
> o the published RFCs. Prior to standardisation, ML-DSA was known as Dilithium
>                                ^^^^^^^^^^^^^^^
Do not mix variants of the same word ("standardisation" and "standardization")
within a single text.

Section 3.3, paragraph 10
> important guidance in this area. By default ML-DSA signature generation uses
>                                  ^^^^^^^^^^
Did you mean: "By default,"?

[Ballot comment]
Note as stated in some other recent documents, I believe RFC4086 is very dated and it is likely better to not reference it at all

[Ballot comment]
# Orie Steele, ART AD, comments for draft-ietf-lamps-cms-ml-dsa-05
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-cms-ml-dsa-05.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### Context not used?

```
244   ML-DSA has a context string input that can be used to ensure that
245   different signatures are generated for different application
246   contexts.  When using ML-DSA as described in this document, the
247   context string is not used.
```

I think you mean that the default context is used, which is empty per Section 5.2 of FIPS 204;

"By default, the context is the empty string, though applications may specify the use of a non-empty context string."

### Why not MUST?

```
266       of the ML-DSA parameter set.  Verifiers MAY reject a signature if
267       the signer's choice of digest algorithm does not meet the security
268       requirements of their choice of ML-DSA parameter set.  Table 1
269       shows appropriate SHA-2 and SHA-3 digest algorithms for each
270       parameter set.
```

Seems weird for a verifier to accept such a signature.

[Ballot comment]
A lot of fiction references in this I-D (e.g., dilithium among others).

More seriously, authors may consider the following comments:

# Section 1

s/NIST/US National Institute of Standards and Technology (NIST)/

Should `SLH-DSA` be expanded ?

[Ballot comment]
Hi Ben, Adam, and Daniel,

Thank you for the effort put into this specification.

I trust that the examples were validated.

Please find below some few comments, ordered by the document flow:

# Regional matters

Please make this change to the abstract:

OLD:
  The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as
  defined in FIPS 204,

NEW:
  The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as
  defined in US FIPS 204,

and the following one to the introduction:

OLD;
  The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a
  digital signature algorithm standardised by NIST as part of their

NEW:
  The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a
  digital signature algorithm standardised by US National Institute
  of Standards and Technology (NIST) as part of their

# Picky :-)

NEW:
      |  RFC EDITOR: Please replace
      |  [I-D.ietf-lamps-dilithium-certificates] and
      |  [I-D.ietf-lamps-cms-sphincs-plus] throughout this document with
      |  references to the published RFCs.

We don’t need a note for this as this is this is normal editing process, except for the embedded mention in the ASN module. You may reword as follows:

NEW:
      |  RFC EDITOR: Please replace
      |  [I-D.ietf-lamps-dilithium-certificates] in ASN module with
      |  references to the published RFC.

Alternatively, you may delete this note here and use the one right before the ASN module to convey that message.

# Point where the rationale for not covering the pre-hash mode is provided, e.g.,

OLD:
  [FIPS204] also specifies a pre-hashed variant of ML-DSA, called
  HashML-DSA.  Use of HashML-DSA in the CMS is not specified in this
  document.
NEW:
  [FIPS204] also specifies a pre-hashed variant of ML-DSA, called
  HashML-DSA.  Use of HashML-DSA in the CMS is not specified in this
  document. See Section 3.1 for mor details.

draft-ietf-lamps-dilithium-certificates has a more detailed description of the rationale in its section 8.3.

# a nit in Section 2

OLD: identify cryptographic algorithms. in the CMS,

NEW: identify cryptographic algorithms. In the CMS,

# Appendix A.  ASN.1 Module

## Note

CURRENT:
      |  RFC EDITOR: Please replace TBD2 with the value assigned by IANA
      |  during the publication of
      |  [I-D.ietf-lamps-dilithium-certificates].

Can be deleted as TBD2=119 was already assigned by IANA.

## Use the module name (X509-ML-DSA-2025) as registered by IANA (id-mod-x509-ml-dsa-2025) and the assigned value (119)

OLD:
==>  FROM X509-ML-DSA-2024 -- From [I-D.ietf-lamps-dilithium-certificates]
    { iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
==>  id-mod-x509-ml-dsa-2024(TBD2) } ;
                              ^^^^

NEW:
    FROM X509-ML-DSA-2025 -- From [I-D.ietf-lamps-dilithium-certificates]
    { iso(1) identified-organization(3) dod(6) internet(1)
      security(5) mechanisms(5) pkix(7) id-mod(0)
      id-mod-x509-ml-dsa-2025(119) } ;

Cheers,
Med

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-cms-ml-dsa-04. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which we must complete.

In the SMI Security for S/MIME Module Identifier registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-ml-dsa-2024
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-06-05):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-cms-ml-dsa@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Use of the ML-DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Use of the
ML-DSA Signature Algorithm in the Cryptographic Message
  Syntax (CMS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-06-05. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as
  defined in FIPS 204, is a post-quantum digital signature scheme that
  aims to be secure against an adversary in possession of a
  Cryptographically Relevant Quantum Computer (CRQC).  This document
  specifies the conventions for using the ML-DSA signature algorithm
  with the Cryptographic Message Syntax (CMS).  In addition, the
  algorithm identifier and public key syntax are provided.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-ml-dsa/



No IPR declarations have been submitted directly on this I-D.

# Shepherd Write-up for draft-ietf-lamps-cms-ml-dsa-03

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format.
  The LAMPS WG reached a place that everyone can live with the result,
  even if everyone is not completely happy.  That is, the document
  represents a place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise indicated discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    The authors have explicitly stated that they are unaware of any IPR that
    needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about two lines with non-ASCII characters.  They are in
    places where such characters are allowed.
   
    IDnits complains about one long line.  It is related to a comment
    in the ASN.1 module that will be changed by the RFC Editor once
    [I-D.ietf-lamps-dilithium-certificates] is published.  It will not
    be too long once this is replaced with an RFC number.

    IDnits complains about the lack of '' and ''.
    The ASN.1 module includes these markers, the other places in the
    document are talking about fragments of the ASN.1 module, and these
    markers would be distractions.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published except the one
    that is being sent to the IESG at the same time as this document.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.


# Shepherd Write-up for draft-ietf-lamps-cms-ml-dsa-03

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format.
  The LAMPS WG reached a place that everyone can live with the result,
  even if everyone is not completely happy.  That is, the document
  represents a place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise indicated discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    The authors have explicitly stated that they are unaware of any IPR that
    needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about two lines with non-ASCII characters.  They are in
    places where such characters are allowed.
   
    IDnits complains about one long line.  It is related to a comment
    in the ASN.1 module that will be changed by the RFC Editor once
    [I-D.ietf-lamps-dilithium-certificates] is published.  It will not
    be too long once this is replaced with an RFC number.

    IDnits complains about the lack of '' and ''.
    The ASN.1 module includes these markers, the other places in the
    document are talking about fragments of the ASN.1 module, and these
    markers would be distractions.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published except the one
    that is being sent to the IESG at the same time as this document.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.