ML-DSA for JOSE and COSE
draft-ietf-cose-dilithium-11

[Ballot comment]
Thanks to Peter Yee for their secdir reviews.

I found this specification easy to read and understand.  I only have one comment/question:

Section 7.2:  While this specification does not support HashML-DSA, there is no mention about whether a pre-hash option is acceptable or expected (as in App D of draft-ietf-lamps-dilithium-certificates).  However, I'm not sure where that would be mentioned in this specification.

[Ballot comment]

# Éric Vyncke, INT AD, comments for draft-ietf-cose-dilithium-09
CC @evyncke

Thank you for the work put into this document.

Please find below some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education).

Special thanks to Lucas Prabel for the shepherd's detailed write-up including the WG consensus *and* the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric

## COMMENTS (non-blocking)

### Abstract & section 1

s/This document describes/This document *specifies*/

### Section 3

Should `JWK` be expanded ? Or a reference be added ?

### Section 4

s/by NIST so/by US NIST so/ as not every reader lives in the USA.

### Section 5

Sentence such as `This document requests the registration` should rather be in the IANA considerations. Let's use here "This document specifies..." or similar.

Let's be consistent and use double quotes around parameter names, e.g., in `The ctx parameter` (this could happen in other places as well) while `The "pub" parameter` is also used.

Out of curiosity, where are the -44, -65, and -87 come from ? These numbers do not seem to be linked to key sizes.

### Section 9.2

As indicated by idnits, reference NIST-PQC-2022 is never used, so, let's remove it.

[Ballot comment]
Thank you to Russ Housley for the GENART review.

** Editorial.  A number of references in the document are not formal references.  For example:

-- Section 4, “FIPS 204” vs. “[FIPS 204]” (multiple instances)

-- Section 8.1.1, “RFC 9053 and RFC 9054” vs. “[RFC9053] and [RFC9054]” (multiple instances)

** Section 8.1.1.* -- Why is the change control entity specific named here, but it is in the JOSE registrations?

** Section 8.1.4.4.*  -- These registration have a row with “Value registry: [IANA.jose] Algorithms”.  That is not in the RFC7518 template or in the production https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms registry

[Ballot discuss]
Just some easy to address comments related to references that perhaps rise to the level of DISCUSS.

Sections 3 and 5:

The URLs [IANA.jose] and [IANA.cose] are informative references?

Section 8:

Several RFCs here that should be normative or informative references?

[Ballot comment]
Thanks to the authors and the WG for their work on this document. Please find below some comments and suggestions to improve the clarity of this document.

General:
s/NIST/US NIST and S/FIPS/US NIST FIPS - we want to be clear this is coming from an US entity

Section 1:

s/draft-ietf-cose-key-thumbprint/RFC9679

Perhaps change "as described in [FIPS-204] with JOSE and COSE" to "as described in [FIPS-204], in conjunction with JOSE and COSE." ?

Perhaps "can be compared according the procedures..." should be "can be compared according to the procedures..." ?

Section 3:

Keep the actions for IANA in the IANA considerations sections alone.

Perhaps instead of "This document requests the registration of the following key types in [IANA.jose]:", how about "This document introduces the following key types (see section 8.1.x for details):"

This can be done for other similar sentences (in this section as well as section 5). The URLs [IANA.jose] are better placed in the respective IANA consideration sub-sections?

s/use of multiple key type/the use of multiple key type

s/key parameters are base64url encoded/the key parameters are base64url encoded

Perhaps, instead of "Some algorithms might require or encourage additional structure or length checks for associated key type parameters", would this be more clear - "Some algorithms may require or recommend additional structure or length checks for associated key type parameters." ? ... not sure what is meant by encourage here?

Section 5:

Suggest "See the ML-DSA Private Keys section of this document for more details." change to "See Section 4, ML-DSA Private Keys, for further details."

Perhaps instead of "ML-DSA might not be the best choice for use cases that require small keys or signatures." it could be "ML-DSA may not be suitable for use cases requiring small keys or signatures." ?

[Ballot comment]
In Section 5, the reference for the registry where the registrations should be made is to the entire COSE/JOSE registry groups, and the particular registries are not specified until Section 8. I initially thought the values requested were incorrect but then realized I was looking at the wrong registry on that page. In Section 8, however, the registries are referenced by name and the link to the registry is omitted. I think this could be made clearer by putting all the registration information in Section 8 (including links to specific registries) and focusing Section 5 on the use of the registered values.

In Section 7.3, the normative requirement represented by "only a length check MUST be performed" is unclear. Should this be read "MUST NOT perform any checks other than length" or "MUST perform a length check and MAY perform additional checks as appropriate"? Or is this instead reflecting that a requirement already exists elsewhere and should be "a length check is required by Section x.y of [RFCabcd]"?

===NITS FOLLOW===
- Section 5, "needed, see" => "needed; see"
- Section 7, "specification, see" => "specification; see"

[Ballot comment]
Hi Michael and Orie,

Thanks for the effort put into this specification.

Thanks also to Tiru Tirumaleswar Reddy for the OPSDIR review and to the authors for engaging and proposing changes. I went through https://github.com/cose-wg/draft-ietf-cose-dilithium/pull/25/files and trust this PR will be merged. The explanation about the seed only design choice and also calling out some ML-DSA deployment challenges are appreciated.

I also trust the examples were validated.

I have very minor comments:

# Redundant IANA considerations

Not sure why IANA requests are repeated twice in the document (Sections 3/4/5 and then IANA Section). I think it is better to have this in one single place.

# Who is the target of this guidance?

CURRENT:
  When registering new algorithms, use of multiple key type parameters
  for private information is NOT RECOMMENDED.

# Citations

Several RFCs are provided in the text but are not cited as references, e.g., RFC 9054 and RFC 7518. Please check through the doc.

# Regional Matters

Please s/FIPS 204/US FIPS 204 in the abstract and s/NIST/US NIST in Section 4

Cheers,
Med

[Ballot comment]
This document does not describe a transport protocol change, and I have no related concerns.

I see:  draft-ietf-cose-key-thumbprint is alreday published as an RFC (and that draft-ietf-lamps-dilithium-certificates is in the RFC-Ed queue.

I have no additional review comments.

Request for IETF Last Call review by SECDIR Completed: Has Issues. Reviewer: Peter Yee. Sent review to list. Submission of review completed at an earlier date.

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-cose-dilithium-08. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are six actions which we must complete.

First, in the COSE Algorithms registry in the CBOR Object Signing and Encryption (COSE) registry group located at:

https://www.iana.org/assignments/cose/

the following three early allocations will be made permanent and their references changed to [ RFC-to-be ]:

Name: ML-DSA-44
Value: -48
Description: CBOR Object Signing Algorithm for ML-DSA-44
Capabilities: [kty]
Change Controller: IESG
Recommended: Yes

Name: ML-DSA-65
Value: -49
Description: CBOR Object Signing Algorithm for ML-DSA-65
Capabilities: [kty]
Change Controller: IESG
Recommended: Yes

Name: ML-DSA-87
Value: -50
Description: CBOR Object Signing Algorithm for ML-DSA-87
Capabilities: [kty]
Change Controller: IESG
Recommended: Yes

Second, in the COSE Key Types registry also in the CBOR Object Signing and Encryption (COSE) registry group located at:

https://www.iana.org/assignments/cose/

the following registration will have its reference changed to [ RFC-to-be ]:

Name: AKP
Value: 7
Description: COSE Key Type for Algorithm Key Pairs
Capabilities: [kty(7)]

Third, in the COSE Key Type Parameters registry also in the CBOR Object Signing and Encryption (COSE) registry group located at:

https://www.iana.org/assignments/cose/

the following two registrations will have their references changed to [ RFC-to-be ]:

Key Type: [ TBD-at-Registration ]
Name: pub
Label: -1
CBOR Type: bstr
Description: Public key
Reference: [ RFC-to-be ]

Key Type: [ TBD-at-Registration ]
Name: priv
Label: -2
CBOR Type: bstr
Description: Private key
Reference: [ RFC-to-be ]

Please note that the priv registration is still pending expert approval for early registration. This registration will be added and the document will be marked IANA OK after this review has been completed.

Fourth, in the JSON Web Signature and Encryption Algorithms registry in the JSON Object Signing and Encryption (JOSE) registry group located at:

https://www.iana.org/assignments/jose/

the following three early allocations will be made permanent and their references changed to [ RFC-to-be ]:

Algorithm Name: ML-DSA-44
Algorithm Description: ML-DSA-44 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: [IANA.jose] Algorithms
Algorithm Analysis Documents(s): [FIPS-204]

Algorithm Name: ML-DSA-65
Algorithm Description: ML-DSA-65 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: [IANA.jose] Algorithms
Algorithm Analysis Documents(s): [FIPS-204]

Algorithm Name: ML-DSA-87
Algorithm Description: ML-DSA-87 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: [IANA.jose] Algorithms
Algorithm Analysis Documents(s): [FIPS-204]

Fifth, in the JSON Web Key Types registry also in the JSON Object Signing and Encryption (JOSE) registry group located at:

https://www.iana.org/assignments/jose/

the following early allocation will be made permanent and its reference changed to [ RFC-to-be ]:

"kty" Parameter Value: AKP
Key Type Description: Algorithm Key Pair
JOSE Implementation Requirements: Optional
Change Controller: IETF

Sixth, also in the JSON Web Key Parameters registry also in the JSON Object Signing and Encryption (JOSE) registry group located at:

https://www.iana.org/assignments/jose/

the following two early allocations will be made permanent and their references changed to [ RFC-to-be ]:

Parameter Name: pub
Parameter Description: Public key
Used with "kty" Value(s): AKP
Parameter Information Class: Public
Change Controller: IETF
Specification Document(s): [ RFC-to-be ]

Parameter Name: priv
Parameter Description: Private key
Used with "kty" Value(s): AKP
Parameter Information Class: Private
Change Controller: IETF
Specification Document(s): [ RFC-to-be ]

Please note that the priv early allocation in JSON Web Key Parameters is still pending expert approval for early registration of the corresponding COSE Key Type Parameter. This early allocation will be added and the document will be marked IANA OK after this review has been completed.

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-07-28):

From: The IESG
To: IETF-Announce
CC: cose-chairs@ietf.org, cose@ietf.org, draft-ietf-cose-dilithium@ietf.org, lucas.prabel@huawei.com, paul.wouters@aiven.io
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (ML-DSA for JOSE and COSE) to Proposed Standard


The IESG has received a request from the CBOR Object Signing and Encryption
WG (cose) to consider the following document: - 'ML-DSA for JOSE and COSE'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-07-28. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document describes JSON Object Signing and Encryption (JOSE) and
  CBOR Object Signing and Encryption (COSE) serializations for Module-
  Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum
  Cryptography (PQC) digital signature scheme defined in FIPS 204.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/



No IPR declarations have been submitted directly on this I-D.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

Extensive discussions occurred on the mailing list prior to the WGLC, and a few additional comments were received during the WGLC. The authors have revised the document to incorporate the feedback received, and it now appears to have achieved broad agreement.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

Extended discussions took place on the mailing list concerning the appropriate “kty” value to define and use for ML-DSA. The solution of introducing the new Algorithm Key Pair (AKP) type seemed to gather working group support. Additionally, comments were made about the specification of the “context” string in ML-DSA, as well as the draft being too underspecified. The authors addressed these comments during the WGLC.

Ultimately, none of the document updates encountered significant objections. No one spoke against the adoption of the document during the WGLC. Consequently, there was no particular controversy over specific points, nor were there significant difficulties in reaching consensus.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

I am not aware of any threatened appeals or extreme discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

The examples in Appendix A were generated using code specifically written for the draft, as reported on the COSE mailing list (https://mailarchive.ietf.org/arch/msg/cose/_IbCQoSJeXFG-GDZFlJZnZHCP1U/).

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

The specification applies to both JOSE and COSE. Alignment with other working groups that are specifying ML-DSA algorithms, such as LAMPS, was raised as a point to consider during mailing list discussions. Additionally, it was noted as desirable to obtain confirmation from an independent implementation of the examples provided in Appendix A of the document.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No such criteria apply.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

The document contains no YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

The document uses no formal language.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes, I believe the document is ready. Some nits can be addressed later in the process.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

Among the common Security Area issues, the document addresses the Threat Models and Security Environment aspect in its Security Considerations section. Most other Security Area concerns do not appear to be relevant. In particular, since the registered algorithms already exist, they do not fall under the "New Cryptography" category.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard is being requested. This status seems appropriate for this document, as it is the same status as the other COSE specifications that register algorithms. The document header is correct, while the "Intended RFC status" on the Datatracker needs to be updated.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

No IPR disclosures were issued against this document. I am not aware of any reminders about IPR disclosure being sent to the authors.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

The idnits tool indicates multiple instances of too long lines in the document and some warnings that could be fixed later in the process. There are also one unused reference and one downref.

Other nits:
- Sections 8.1.4 and 8.1.5 should be subsections of the Section 8.1.3 "New COSE Key Type Parameters". Also, they should now be called "AKP Public Key" and "AKP Private Key", as it is the case with the "New JSON Web Key Parameters" Section for JOSE;
- "the following key types in [IANA.jose]" --> key type;
- "the security considerations of [...] applies" --> apply;
- need to standardize the usage of capital letters in specific expressions (eg: "AKP Key" vs "AKP key");
- the document "CBOR Object Signing and Encryption (COSE) Key Thumbprint" is now an RFC and the name of the normative reference can be updated to "RFC9679".
- need a comma after "When this key type is used"
- "using th algorithms" --> the

Otherwise, the document adheres to the Content Guidelines.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

The Informational RFC 9053 is a normative reference, which seems appropriate.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

There is no such reference.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

There is a normative downward reference to the Informational RFC 9053.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

There is no such reference.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

Publication of this document will not change the status of any existing RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

Sections 8.1.4 and 8.1.5 should be subsections of the Section 8.1.3 "New COSE Key Type Parameters". Also, they should now be called "AKP Public Key" and "AKP Private Key", as it is the case with the "New JSON Web Key Parameters" Section for JOSE.

The placeholders “Reference: RFC XXXX” and “Specification Document(s): RFC XXXX” in the IANA Considerations section will need to be updated.

Otherwise, the IANA actions are clearly described and appropriate.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

The specification does not create any new IANA registry; it only adds entries to existing registries.


[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://wiki.ietf.org/group/ops/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://wiki.ietf.org/group/iesg/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

Extensive discussions occurred on the mailing list prior to the WGLC, and a few additional comments were received during the WGLC. The authors have revised the document to incorporate the feedback received, and it now appears to have achieved broad agreement.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

Extended discussions took place on the mailing list concerning the appropriate “kty” value to define and use for ML-DSA. The solution of introducing the new Algorithm Key Pair (AKP) type seemed to gather working group support. Additionally, comments were made about the specification of the “context” string in ML-DSA, as well as the draft being too underspecified. The authors addressed these comments during the WGLC.

Ultimately, none of the document updates encountered significant objections. No one spoke against the adoption of the document during the WGLC. Consequently, there was no particular controversy over specific points, nor were there significant difficulties in reaching consensus.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

I am not aware of any threatened appeals or extreme discontent.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

The examples in Appendix A were generated using code specifically written for the draft, as reported on the COSE mailing list (https://mailarchive.ietf.org/arch/msg/cose/_IbCQoSJeXFG-GDZFlJZnZHCP1U/).

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

The specification applies to both JOSE and COSE. Alignment with other working groups that are specifying ML-DSA algorithms, such as LAMPS, was raised as a point to consider during mailing list discussions. Additionally, it was noted as desirable to obtain confirmation from an independent implementation of the examples provided in Appendix A of the document.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

No such criteria apply.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

The document contains no YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

The document uses no formal language.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

Yes, I believe the document is ready. Some nits can be addressed later in the process.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

Among the common Security Area issues, the document addresses the Threat Models and Security Environment aspect in its Security Considerations section. Most other Security Area concerns do not appear to be relevant. In particular, since the registered algorithms already exist, they do not fall under the "New Cryptography" category.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

Proposed Standard is being requested. This status seems appropriate for this document, as it is the same status as the other COSE specifications that register algorithms. The document header is correct, while the "Intended RFC status" on the Datatracker needs to be updated.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

No IPR disclosures were issued against this document. I am not aware of any reminders about IPR disclosure being sent to the authors.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.

Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

The idnits tool indicates multiple instances of too long lines in the document and some warnings that could be fixed later in the process. There are also one unused reference and one downref.

Other nits:
- Sections 8.1.4 and 8.1.5 should be subsections of the Section 8.1.3 "New COSE Key Type Parameters". Also, they should now be called "AKP Public Key" and "AKP Private Key", as it is the case with the "New JSON Web Key Parameters" Section for JOSE;
- "the following key types in [IANA.jose]" --> key type;
- "the security considerations of [...] applies" --> apply;
- need to standardize the usage of capital letters in specific expressions (eg: "AKP Key" vs "AKP key");
- the document "CBOR Object Signing and Encryption (COSE) Key Thumbprint" is now an RFC and the name of the normative reference can be updated to "RFC9679".
- need a comma after "When this key type is used"
- "using th algorithms" --> the

Otherwise, the document adheres to the Content Guidelines.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

The Informational RFC 9053 is a normative reference, which seems appropriate.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

There is no such reference.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

There is a normative downward reference to the Informational RFC 9053.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

There is no such reference.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

Publication of this document will not change the status of any existing RFCs.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

Sections 8.1.4 and 8.1.5 should be subsections of the Section 8.1.3 "New COSE Key Type Parameters". Also, they should now be called "AKP Public Key" and "AKP Private Key", as it is the case with the "New JSON Web Key Parameters" Section for JOSE.

The placeholders “Reference: RFC XXXX” and “Specification Document(s): RFC XXXX” in the IANA Considerations section will need to be updated.

Otherwise, the IANA actions are clearly described and appropriate.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

The specification does not create any new IANA registry; it only adds entries to existing registries.


[1]: https://www.ietf.org/about/groups/iesg/
[2]: https://www.rfc-editor.org/rfc/rfc4858.html
[3]: https://www.rfc-editor.org/rfc/rfc7942.html
[4]: https://wiki.ietf.org/group/ops/yang-review-tools
[5]: https://www.rfc-editor.org/rfc/rfc8342.html
[6]: https://wiki.ietf.org/group/iesg/ExpertTopics
[7]: https://www.rfc-editor.org/info/bcp79
[8]: https://www.ietf.org/tools/idnits/
[9]: https://www.rfc-editor.org/rfc/rfc3967.html
[10]: https://www.rfc-editor.org/info/bcp97
[11]: https://www.rfc-editor.org/rfc/rfc8126.html
[12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5
[13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1
[14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2
[15]: https://authors.ietf.org/en/content-guidelines-overview
[16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/
[17]: https://datatracker.ietf.org/doc/downref/