Draft SC-XX: Add MLDSA-87#624
Conversation
| For ML-DSA key pairs, the CA SHALL: | ||
|
|
||
| * Ensure the Key uses one of the following parameter sets: | ||
| * ML-DSA-87 (OID: 2.16.840.1.101.3.4.3.19). |
There was a problem hiding this comment.
Microsoft's announcement at the CABForum F2F yesterday said "Mandatory support for ML-DSA-87".
ML-DSA-44 and ML-DSA-65 weren't mentioned at all. I don't know if that implies that the PQC Pilot Program will (1) disallow these parameter sets or (2) permit (but not require) them to be supported.
If 2, then this PR should probably allow them too.
There was a problem hiding this comment.
Thanks for the call-out on this. I discussed this with the MSFT reps a bit ago and they confirmed that the pilot is limited to MLDSA-87 only at this point. So, I believe this language can stay as-is.
There was a problem hiding this comment.
Leaving a comment here as welll, since it's not yet clear whether this PR or #662 will be the one that moves forward.
Now that we're making this change due to general preparedness, and not just the Microsoft pilot program, we should allow ML-DSA-44 and ML-DSA-65.
4 participants
This preliminary proposal outlines the changes needed to the TLS BR to facilitate the TLS PQC pilot program.