From 63115df294b65baca9d645ae3757565b1fd4448d Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Thu, 16 Oct 2025 11:05:14 -0400 Subject: [PATCH 1/5] Add MLDSA-87 --- docs/BR.md | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 5298d38a..23cba4ac 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -2012,6 +2012,11 @@ For ECDSA key pairs, the CA SHALL: * Ensure that the key represents a valid point on the NIST P-256, NIST P-384 or NIST P-521 elliptic curve. +For ML-DSA key pairs, the CA SHALL: + +* Ensure the Key uses one of the following parameter sets: + * ML-DSA-87 (OID: 2.16.840.1.101.3.4.3.19). + No other algorithms or key sizes are permitted. ### 6.1.6 Public key parameters generation and quality checking @@ -2020,6 +2025,8 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number ECDSA: The CA SHOULD confirm the validity of all keys using either the ECC Full Public Key Validation Routine or the ECC Partial Public Key Validation Routine. [Source: Sections 5.6.2.3.2 and 5.6.2.3.3, respectively, of NIST SP 800-56A: Revision 2] +For ML-DSA key pairs: no stipulation. + ### 6.1.7 Key usage purposes (as per X.509 v3 key usage field) Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates except in the following cases: @@ -2817,7 +2824,7 @@ Table: Permitted `policyQualifiers` ##### 7.1.2.7.11 Subscriber Certificate Key Usage -The acceptable Key Usage values vary based on whether the Certificate's `subjectPublicKeyInfo` identifies an RSA public key or an ECC public key. CAs MUST ensure the Key Usage is appropriate for the Certificate Public Key. +The acceptable Key Usage values vary based on whether the Certificate's `subjectPublicKeyInfo` identifies an RSA public key, an ECC public key, or ML-DSA public key. CAs MUST ensure the Key Usage is appropriate for the Certificate Public Key. Table: Key Usage for RSA Public Keys @@ -2851,6 +2858,20 @@ Table: Key Usage for ECC Public Keys **Note**: The `keyAgreement` bit is currently permitted, although setting it is NOT RECOMMENDED, as it is a Pending Prohibition (https://github.com/cabforum/servercert/issues/384). +Table: Key Usage for ML-DSA Public Keys + +| __Key Usage__ | __Permitted__ | __Required__ | +| ----- | -- | --- | +| `digitalSignature` | Y | MUST | +| `nonRepudiation` | N | -- | +| `keyEncipherment` | N | -- | +| `dataEncipherment` | N | -- | +| `keyAgreement` | N | -- | +| `keyCertSign` | N | -- | +| `cRLSign` | N | -- | +| `encipherOnly` | N | -- | +| `decipherOnly` | N | -- | + ##### 7.1.2.7.12 Subscriber Certificate Subject Alternative Name For Subscriber Certificates, the Subject Alternative Name MUST be present and MUST contain at least one `dNSName` or `iPAddress` `GeneralName`. See below for further requirements about the permitted fields and their validation requirements. @@ -3344,6 +3365,19 @@ When encoded, the `AlgorithmIdentifier` for ECDSA keys MUST be byte-for-byte ide * For P-384 keys, `301006072a8648ce3d020106052b81040022`. * For P-521 keys, `301006072a8648ce3d020106052b81040023`. + +##### 7.1.3.2.4 ML-DSA + +The CA SHALL indicate an ML-DSA key using one of the following algorithm identifiers below: + + * ML-DSA-87 (OID: 2.16.840.1.101.3.4.3.19). + +The parameters for ML-DSA keys SHALL be absent. The CA MUST NOT use HashML-DSA; only "pure" ML-DSA is permitted. + +When encoded, the AlgorithmIdentifier for ML-DSA keys SHALL be byte-for-byte identical with the following hex-encoded bytes: + +* For ML-DSA-87, `300b0609608648016503040313`. + #### 7.1.3.2 Signature AlgorithmIdentifier All objects signed by a CA Private Key MUST conform to these requirements on the use of the `AlgorithmIdentifier` or `AlgorithmIdentifier`-derived type in the context of signatures. @@ -3442,6 +3476,13 @@ If the signing key is P-384, the signature MUST use ECDSA with SHA-384. When enc If the signing key is P-521, the signature MUST use ECDSA with SHA-512. When encoded, the `AlgorithmIdentifier` MUST be byte-for-byte identical with the following hex-encoded bytes: `300a06082a8648ce3d040304`. +##### 7.1.3.2.4 ML-DSA + +The CA SHALL use the appropriate signature algorithm and encoding based upon the signing key used. + +If the signing key is ML-DSA-87, the signature algorithm SHALL be id-ml-dsa-87 (OID: 2.16.840.1.101.3.4.3.19). When encoded, the `AlgorithmIdentifier` SHALL be byte-for-byte identical with the following hex-encoded bytes: `300b0609608648016503040313`. + + ### 7.1.4 Name Forms This section details encoding rules that apply to all Certificates issued by a CA. Further restrictions may be specified within [Section 7.1.2](#712-certificate-content-and-extensions), but these restrictions do not supersede these requirements. From bad11c061b276d8d31797c32b434a1103803e74f Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 17 Oct 2025 07:55:21 -0400 Subject: [PATCH 2/5] Fix section number --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 23cba4ac..2a7ec2e1 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -3366,7 +3366,7 @@ When encoded, the `AlgorithmIdentifier` for ECDSA keys MUST be byte-for-byte ide * For P-521 keys, `301006072a8648ce3d020106052b81040023`. -##### 7.1.3.2.4 ML-DSA +##### 7.1.3.1.3 ML-DSA The CA SHALL indicate an ML-DSA key using one of the following algorithm identifiers below: From 10d0cf35502fead790bff3e2a0d49ba2731437d1 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 17 Oct 2025 08:22:39 -0400 Subject: [PATCH 3/5] Allow only pure MLDSA chains --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 2a7ec2e1..3f6271ba 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -3478,7 +3478,7 @@ If the signing key is P-521, the signature MUST use ECDSA with SHA-512. When enc ##### 7.1.3.2.4 ML-DSA -The CA SHALL use the appropriate signature algorithm and encoding based upon the signing key used. +The CA SHALL use the appropriate signature algorithm and encoding based upon the signing key used. Additionally, the CA SHALL NOT use this signature algorithm if the algorithm identifier of the public key being certified is not id-ml-dsa-87 (OID: 2.16.840.1.101.3.4.3.19). If the signing key is ML-DSA-87, the signature algorithm SHALL be id-ml-dsa-87 (OID: 2.16.840.1.101.3.4.3.19). When encoded, the `AlgorithmIdentifier` SHALL be byte-for-byte identical with the following hex-encoded bytes: `300b0609608648016503040313`. From f6ac0f8d6fa069384f6f9b2caf5a9f71bcff3c55 Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Fri, 17 Oct 2025 08:29:24 -0400 Subject: [PATCH 4/5] Restrict certification of MLDSA keys to only MLDSA CAs --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 3f6271ba..48c42cc5 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -3372,7 +3372,7 @@ The CA SHALL indicate an ML-DSA key using one of the following algorithm identif * ML-DSA-87 (OID: 2.16.840.1.101.3.4.3.19). -The parameters for ML-DSA keys SHALL be absent. The CA MUST NOT use HashML-DSA; only "pure" ML-DSA is permitted. +The parameters for ML-DSA keys SHALL be absent. The CA MUST NOT use HashML-DSA; only "pure" ML-DSA is permitted. Additionally, the CA SHALL NOT use this algorithm if the algorithm identifier of the Certificate's signature algorithm is not ML-DSA-87 (OID: 2.16.840.1.101.3.4.3.19). When encoded, the AlgorithmIdentifier for ML-DSA keys SHALL be byte-for-byte identical with the following hex-encoded bytes: From e00fbe09f405f5b106edd30c2538cf274bc1282b Mon Sep 17 00:00:00 2001 From: Corey Bonnell Date: Sat, 18 Oct 2025 02:49:06 -0400 Subject: [PATCH 5/5] Add a missing "an" --- docs/BR.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/BR.md b/docs/BR.md index 48c42cc5..1a8f3a83 100644 --- a/docs/BR.md +++ b/docs/BR.md @@ -2824,7 +2824,7 @@ Table: Permitted `policyQualifiers` ##### 7.1.2.7.11 Subscriber Certificate Key Usage -The acceptable Key Usage values vary based on whether the Certificate's `subjectPublicKeyInfo` identifies an RSA public key, an ECC public key, or ML-DSA public key. CAs MUST ensure the Key Usage is appropriate for the Certificate Public Key. +The acceptable Key Usage values vary based on whether the Certificate's `subjectPublicKeyInfo` identifies an RSA public key, an ECC public key, or an ML-DSA public key. CAs MUST ensure the Key Usage is appropriate for the Certificate Public Key. Table: Key Usage for RSA Public Keys