Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
draft-ietf-lamps-kyber-certificates-11

[Ballot comment]
Thanks for the work done in this document (and caring for very detailed appendixes).

Just one minor comment about the abstract, it should use the verb "specify" and not "describe" as the status is intended standard (the introduction section does it well though).

[Ballot comment]
I started reading this 71 page document about conventions in X.509 Public Key Infrastructure. However, the body of the text was a lot less (11 pages) and i found it well written.

Thank you for this nice writeup

[Ballot comment]
Hi Sean, Panos, Jake, and Bas,

Thank you for the work put into this specification.

I trust the ASN module and examples were validated.

Please find below some comments, fwiw:

# NIST Size Mapping

The ciphertext values in Table 1 do not match the ones used in Table 3 of FIPS203. Is that intended?

# Redundant recommendation

We do say in Section 4:

  NOTE: While the private key can be stored in multiple formats, the
  seed-only format is RECOMMENDED as it is the most compact
  representation. 

then restate in Section 6:

  When encoding an ML-KEM private key in a OneAsymmetricKey object, any
  of these three formats may be used, though the seed format is
  RECOMMENDED for storage efficiency.

and then in that same section:

  NOTE: While the private key can be stored in multiple formats, the
  seed-only format is RECOMMENDED as it is the most compact
  representation. 

Unless there are subtleties I missed, these recommendations are identical to me. Please keep one.

# Notation

Please consider making this change in Section 5

OLD: id-alg-ml-kem-* in the SubjectPublicKeyInfo, then keyEncipherment MUST be

NEW: id-alg-ml-kem-* (where * is 512, 768, or 1024 - see Section 3) in the SubjectPublicKeyInfo, then keyEncipherment MUST be


# Operational Considerations

## The document includes a good discussion of operational guidance. Can we please reorganize ops content similar to the structure followed recently in draft-ietf-lamps-dilithium-certificates?

NEW:
  6.  Operational Considerations  . . . . . . . . . . . . . . . . .
    6.1. Private Key Format  (OLD: Section 6)
    6.2. Private Key Consistency Testing (OLD: Section 8)
    6.3. Serialization of Seed Values (OLD: Section 7)

## On the encoding formats

As discussed, e.g., in [1], there might be some variation between the encoding formats. I see serialization aspects are discussed in Section 7, but I wonder whether we can include an explicit statement about the alignment (or misalignment if any) about encoding approaches.

# Misc.

## Applicability: cite celi-wiggers-tls-authkem as an example

OLD:
  To be used in TLS, ML-KEM certificates
  could only be used as end-entity identity certificates and would
  require significant updates to the protocol; see
  [I-D.celi-wiggers-tls-authkem].

NEW:
  To be used in TLS, ML-KEM certificates
  could only be used as end-entity identity certificates and would
  require significant updates to the protocol; see, for example,
  [I-D.celi-wiggers-tls-authkem].

## Should this be stated once rather than being repeated for each ASN snippet?

CURRENT:
      |  NOTE: The above syntax is from [RFC5912] and is compatible with
      |  the 2021 ASN.1 syntax [X680].  See [RFC5280] for the 1988 ASN.1
      |  syntax.

## Please consider adding a citation in Section 4 to point to Appendix B. This helpful to understand the values used in various snippets.

## (nit) Missing “and” in Section 4

OLD:
  When an ML-KEM public key appears outside of a SubjectPublicKeyInfo
  type in an environment that uses ASN.1 encoding, it can be encoded as
  an OCTET STRING by using the ML-KEM-512-PublicKey, ML-KEM-
  768-PublicKey, ML-KEM-1024-PublicKey types corresponding to the
  correct key size.

NEW:
  When an ML-KEM public key appears outside of a SubjectPublicKeyInfo
  type in an environment that uses ASN.1 encoding, it can be encoded as
  an OCTET STRING by using the ML-KEM-512-PublicKey, ML-KEM-
  768-PublicKey, and ML-KEM-1024-PublicKey types corresponding to the
  correct key size.

## (nit) an extra “the” in Section 4

OLD:
  When the ML-KEM private key appears outside of an Asymmetric Key
  Package in an environment that uses ASN.1 encoding, it can be encoded
  using one of the the ML-KEM-PrivateKey CHOICE formats defined in
  Section 6. 

NEW:
  When the ML-KEM private key appears outside of an Asymmetric Key
  Package in an environment that uses ASN.1 encoding, it can be encoded
  using one of the ML-KEM-PrivateKey CHOICE formats defined in
  Section 6. 

## (nit) Section 6

OLD: a fixed 64 byte OCTET STRING (66 bytes total with

NEW: a fixed 64-byte OCTET STRING (66 bytes total with

## (nit) Section 8

OLD: Private Key Consistency Tesing

NEW: Private Key Consistency Testing

## Section 9

CURRENT:
  ML-KEM key generation as standardized in [FIPS203] has specific
  requirements around randomness generation, described in section 3.3,
  'Randomness generation'.

Please make it explicit this is about 3.3 of FIPS203.

Thank you.

Cheers,
Med

[1] https://github.com/openssl/openssl/issues/26652 (bullet list with seed-related discussion)

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-kyber-certificates-10. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which we must complete.

In the SMI Security for PKIX Module Identifier registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration is to be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-x509-ml-kem-2025
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-06-06):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-kyber-certificates@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Internet X.509 Public Key Infrastructure - Algorithm Identifiers for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Internet
X.509 Public Key Infrastructure - Algorithm Identifiers for
  the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-06-06. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  The Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) is a
  quantum-resistant key-encapsulation mechanism (KEM).  This document
  describes the conventions for using the ML-KEM in X.509 Public Key
  Infrastructure.  The conventions for the subject public keys and
  private keys are also described.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/



No IPR declarations have been submitted directly on this I-D.

# Shepherd Write-up for draft-ietf-lamps-kyber-certificates-10

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format.
  The LAMPS WG reached a place that everyone can live with the result,
  even if everyone is not happy.  That is, the document represents a
  place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  The patent situation was not addressed to the satisfaction of all parties.
  The following messages in the archive represent the best summary of the
  patent situation.  Only one person has expressed concern, and the
  potential patent holder has not chosen to make an IPR disclosure.
  Despite the IPR discussion on the mail list, no one has made a third-party
  IPR disclosure.
 
  https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/
  https://mailarchive.ietf.org/arch/msg/spasm/jhpFJNGrmBn1D9oEDZHAuqfzleY/

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiles without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    In addition to the points made in response to question 3, the authors have
    explicitly stated that they are unaware of any IPR that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about 21 instances of lines with non-RFC6890-compliant
    IPv4 addresses.  This is not correct.  I assume it is the examples that
    are confusing the program.

    IDnits complains about the lack of '' and ''.
    The ASN.1 module includes these markers, the other places in the
    document are talking about fragments of the ASN.1 module, and these
    markers would be distractions.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There is a normative downward reference to RFC 5912, which is already
    in the DOWNREF registry.
 
18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.


# Shepherd Write-up for draft-ietf-lamps-kyber-certificates-10

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format.
  The LAMPS WG reached a place that everyone can live with the result,
  even if everyone is not happy.  That is, the document represents a
  place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  The patent situation was not addressed to the satisfaction of all parties.
  The following messages in the archive represent the best summary of the
  patent situation.  Only one person has expressed concern, and the
  potential patent holder has not chosen to make an IPR disclosure.
  Despite the IPR discussion on the mail list, no one has made a third-party
  IPR disclosure.
 
  https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/
  https://mailarchive.ietf.org/arch/msg/spasm/jhpFJNGrmBn1D9oEDZHAuqfzleY/

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiles without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    In addition to the points made in response to question 3, the authors have
    explicitly stated that they are unaware of any IPR that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about 21 instances of lines with non-RFC6890-compliant
    IPv4 addresses.  This is not correct.  I assume it is the examples that
    are confusing the program.

    IDnits complains about the lack of '' and ''.
    The ASN.1 module includes these markers, the other places in the
    document are talking about fragments of the ASN.1 module, and these
    markers would be distractions.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There is a normative downward reference to RFC 5912, which is already
    in the DOWNREF registry.
 
18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.