Composite ML-DSA for use in X.509 Public Key Infrastructure
draft-ietf-lamps-pq-composite-sigs-14

Request for IETF Last Call review by GENART Completed: Ready with Nits. Reviewer: Tim Evens. Sent review to list. Submission of review completed at an earlier date.

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-pq-composite-sigs-14. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which we must complete.

First, in the SMI Security for PKIX Module Identifier registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration will be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-composite-signatures
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have initiated the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

Second, in the SMI Security for PKIX Algorithms registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

18 existing registrations will have their references changed to [ RFC-to-be ] as follows:

Decimal Description Reference
--------------------------------
37 id-MLDSA44-RSA2048-PSS-SHA256 [ RFC-to-be ]
38 id-MLDSA44-RSA2048-PKCS15-SHA256 [ RFC-to-be ]
39 id-MLDSA44-Ed25519-SHA512 [ RFC-to-be ]
40 id-MLDSA44-ECDSA-P256-SHA256 [ RFC-to-be ]
41 id-MLDSA65-RSA3072-PSS-SHA512 [ RFC-to-be ]
42 id-MLDSA65-RSA3072-PKCS15-SHA512 [ RFC-to-be ]
43 id-MLDSA65-RSA4096-PSS-SHA512 [ RFC-to-be ]
44 id-MLDSA65-RSA4096-PKCS15-SHA512 [ RFC-to-be ]
45 id-MLDSA65-ECDSA-P256-SHA512 [ RFC-to-be ]
46 id-MLDSA65-ECDSA-P384-SHA512 [ RFC-to-be ]
47 id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 [ RFC-to-be ]
48 id-MLDSA65-Ed25519-SHA512 [ RFC-to-be ]
49 id-MLDSA87-ECDSA-P384-SHA512 [ RFC-to-be ]
50 id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 [ RFC-to-be ]
51 id-MLDSA87-Ed448-SHAKE256 [ RFC-to-be ]
52 id-MLDSA87-RSA3072-PSS-SHA512 [ RFC-to-be ]
53 id-MLDSA87-RSA4096-PSS-SHA512 [ RFC-to-be ]
54 id-MLDSA87-ECDSA-P521-SHA512 [ RFC-to-be ]

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2026-02-03):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-pq-composite-sigs@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Composite ML-DSA for use in X.509 Public Key Infrastructure) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Composite
ML-DSA for use in X.509 Public Key Infrastructure'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2026-02-03. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document defines combinations of US NIST ML-DSA in hybrid with
  traditional algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA, Ed25519,
  and Ed448.  These combinations are tailored to meet regulatory
  guidelines.  Composite ML-DSA is applicable in applications that uses
  X.509 or PKIX data structures that accept ML-DSA, but where the
  operator wants extra protection against breaks or catastrophic bugs
  in ML-DSA, and where EUF-CMA-level security is acceptable.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/


The following IPR Declarations may be related to this I-D:

  https://datatracker.ietf.org/ipr/4761/



The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc5639: Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation (Informational - Independent Submission stream)

# Shepherd Write-up for draft-ietf-lamps-pq-composite-sigs-12

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was a lot of debate, and many people asked for fewer combinations, but
  in the end there were people that want each of the combinations that are
  specified..

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise expressed disagreemnt.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, and a lot of time was spent at the hackathon to make sure
  that various implementation are interoperable.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifier and the algorithm identifiers that will be assigned by IANA,
  the ASN.1 module compiles without error.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifier and the algorithm identifiers that will be assigned by IANA,
  the ASN.1 module compiles without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    One IPR disclosure exists: https://datatracker.ietf.org/ipr/4761/

    This IPR disclosure was highlighted during WG Last Call, and after some
    discussion about the language in the disclosure, the LAMPS WG was very
    comfortable moving forward.

    The authors have explicitly stated that they are unaware of any other IPR
    that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about an obsolete reference to [RFC4210]; the RFC Editor
    should change this to [RFC9810].

    IDnits complains about ASN.1 tags; IDnits thinks the tags are references.

    IDnits complains about a missing reference to [X509ASN1], but it is
    referenced in a comment in the ASN.1 module.

    IDnits complains about an unused reference to [RFC5758] and [SEC1], but they
    are referenced in Table 5.

    IDnits complains about a downref to [RFC2986], [RFC5915], [RFC6090],
    [RFC6234], [RFC8017], [RFC8032], but all of these documents are already
    in the downref registry.

    IDnits complains about a downref to [RFC5639].  The IESG is asked to call
    out this downref in the IETF Last Call, and then add it to the downref
    registry.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    One normative reference is not freely available, but it is a standard
    produced by the American National Standards Institute.

    Some informative references are behind a paywall.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    Yes, there is a downref to [RFC5639].  The IESG is asked to call out
    this downref in the IETF Last Call, and then add it to the downref
    registry.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign two object identifiers (OIDs).  The
    first ones is for the ASN.1 module identifier.  The rest are for
    the composite signature algorithms define in this document.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No.

# Shepherd Write-up for draft-ietf-lamps-pq-composite-sigs-12

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was a lot of debate, and many people asked for fewer combinations, but
  in the end there were people that want each of the combinations that are
  specified..

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise expressed disagreemnt.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, and a lot of time was spent at the hackathon to make sure
  that various implementation are interoperable.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifier and the algorithm identifiers that will be assigned by IANA,
  the ASN.1 module compiles without error.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifier and the algorithm identifiers that will be assigned by IANA,
  the ASN.1 module compiles without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    One IPR disclosure exists: https://datatracker.ietf.org/ipr/4761/

    This IPR disclosure was highlighted during WG Last Call, and after some
    discussion about the language in the disclosure, the LAMPS WG was very
    comfortable moving forward.

    The authors have explicitly stated that they are unaware of any other IPR
    that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about an obsolete reference to [RFC4210]; the RFC Editor
    should change this to [RFC9810].

    IDnits complains about ASN.1 tags; IDnits thinks the tags are references.

    IDnits complains about a missing reference to [X509ASN1], but it is
    referenced in a comment in the ASN.1 module.

    IDnits complains about an unused reference to [RFC5758] and [SEC1], but they
    are referenced in Table 5.

    IDnits complains about a downref to [RFC2986], [RFC5915], [RFC6090],
    [RFC6234], [RFC8017], [RFC8032], but all of these documents are already
    in the downref registry.

    IDnits complains about a downref to [RFC5639].  The IESG is asked to call
    out this downref in the IETF Last Call, and then add it to the downref
    registry.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    One normative reference is not freely available, but it is a standard
    produced by the American National Standards Institute.

    Some informative references are behind a paywall.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    Yes, there is a downref to [RFC5639].  The IESG is asked to call out
    this downref in the IETF Last Call, and then add it to the downref
    registry.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All normative references have already been published.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign two object identifiers (OIDs).  The
    first ones is for the ASN.1 module identifier.  The rest are for
    the composite signature algorithms define in this document.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No.