LAMPS M. Ounsworth Internet-Draft J. Gray Intended status: Standards Track Entrust Expires: 25 July 2026 J. Klaussner Bundesdruckerei GmbH D. Van Geest CryptoNext Security 21 January 2026 Composite ML-DSA for use in Cryptographic Message Syntax (CMS) draft-ietf-lamps-cms-composite-sigs-01 Abstract Composite ML-DSA defines combinations of ML-DSA, as defined by NIST in FIPS 204, with RSA, ECDSA, and EdDSA. This document specifies the conventions for using Composite ML-DSA algorithms within the Cryptographic Message Syntax (CMS). About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://lamps- wg.github.io/cms-composite-sigs/draft-ietf-lamps-cms-composite- sigs.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-composite- sigs/. Discussion of this document takes place on the LAMPS Working Group mailing list (mailto:spams@ietf.org), which is archived at https://datatracker.ietf.org/wg/lamps/about/. Subscribe at https://www.ietf.org/mailman/listinfo/spams/. Source for this draft and an issue tracker can be found at https://github.com/lamps-wg/cms-composite-sigs. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Ounsworth, et al. Expires 25 July 2026 [Page 1] Internet-Draft Composite ML-DSA CMS January 2026 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 25 July 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 2. Composite ML-DSA Algorithm Identifiers . . . . . . . . . . . 3 3. Signed-Data Conventions . . . . . . . . . . . . . . . . . . . 5 3.1. Pre-Hashing . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. SignedData digestAlgorithms . . . . . . . . . . . . . . . 6 3.3. Signature Generation and Verification . . . . . . . . . . 6 3.4. SignerInfo Content . . . . . . . . . . . . . . . . . . . 7 4. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 9 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 13 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 Ounsworth, et al. Expires 25 July 2026 [Page 2] Internet-Draft Composite ML-DSA CMS January 2026 1. Introduction [I-D.ietf-lamps-pq-composite-sigs] defines a collection of signature algorithms, referred to as Composite ML-DSA, which combine ML-DSA [FIPS204] with traditional algorithms RSASSA-PKCS1-v1.5, RSASSA-PSS, ECDSA, Ed25519, and Ed448. This document acts as a companion to [I-D.ietf-lamps-pq-composite-sigs] by providing conventions for using Composite ML-DSA algorithms within the Cryptographic Message Syntax (CMS) [RFC5652]. 1.1. Conventions and Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings. This document is consistent with the terminology defined in [RFC9794]. 2. Composite ML-DSA Algorithm Identifiers Many ASN.1 data structure types use the AlgorithmIdentifier type to identify cryptographic algorithms. In the CMS, AlgorithmIdentifiers are used to identify Composite ML-DSA signatures in the signed-data content type. They may also appear in X.509 certificates used to verify those signatures. The same AlgorithmIdentifiers are used to identify Composite ML-DSA public keys and signature algorithms. [I-D.ietf-lamps-pq-composite-sigs] describes the use of Composite ML- DSA in X.509 certificates. The AlgorithmIdentifier type is defined as follows: AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= SEQUENCE { algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), parameters ALGORITHM-TYPE. &Params({AlgorithmSet}{@algorithm}) OPTIONAL } | NOTE: The above syntax is from [RFC5911] and is compatible with | the 2021 ASN.1 syntax [X680]. See [RFC5280] for the 1988 ASN.1 | syntax. The fields in the AlgorithmIdentifier type have the following meanings: Ounsworth, et al. Expires 25 July 2026 [Page 3] Internet-Draft Composite ML-DSA CMS January 2026 algorithm: The algorithm field contains an OID that identifies the cryptographic algorithm in use. The OIDs for Composite ML-DSA algorithms are described below. parameters: The parameters field contains parameter information for the algorithm identified by the OID in the algorithm field. Each Composite ML-DSA parameter set is identified by its own algorithm OID, so there is no relevant information to include in this field. As such, parameters MUST be omitted when encoding a Composite ML- DSA AlgorithmIdentifier. The object identifiers for Composite ML-DSA algorithms are defined in [I-D.ietf-lamps-pq-composite-sigs], and are reproduced here for convenience. id-MLDSA44-RSA2048-PSS-SHA256 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 37 } id-MLDSA44-RSA2048-PKCS15-SHA256 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 38 } id-MLDSA44-Ed25519-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 39 } id-MLDSA44-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 40 } id-MLDSA65-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 41 } id-MLDSA65-RSA3072-PKCS15-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 42 } id-MLDSA65-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 43 } id-MLDSA65-RSA4096-PKCS15-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 44 } id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 45 } id-MLDSA65-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 46 } id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 47 } Ounsworth, et al. Expires 25 July 2026 [Page 4] Internet-Draft Composite ML-DSA CMS January 2026 id-MLDSA65-Ed25519-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 48 } id-MLDSA87-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 49 } id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 50 } id-MLDSA87-Ed448-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 51 } id-MLDSA87-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 52 } id-MLDSA87-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 53 } id-MLDSA87-ECDSA-P521-SHA512 OBJECT IDENTIFIER ::= { iso(1) org(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) alg(6) 54 } 3. Signed-Data Conventions 3.1. Pre-Hashing [RFC5652] specifies that digital signatures for CMS are produced using a digest of the message to be signed and the signer's private key. At the time RFC 5652 was published, all signature algorithms supported in the CMS required a message digest to be calculated externally to that algorithm, which would then be supplied to the algorithm implementation when calculating and verifying signatures. Since then, EdDSA [RFC8032] and ML-DSA [FIPS204] have also been standardized, and these algorithms support both a "pure" and "pre- hash" mode, although their use in CMS has only been defined for "pure" mode. Composite ML-DSA operates only in a "pre-hash" mode. However, unlike RSA and ECDSA each Composite ML-DSA algorithm is defined to be used with a single digest algorithm which is identified in the Composite ML-DSA algorithm name. For example, id-MLDSA87-ECDSA-P521-SHA512 uses SHA-512 as its pre-hash digest algorithm. When Composite ML-DSA is used in CMS, the digest algorithm used by CMS SHALL be the same pre-hash digest algorithm used by the Composite ML-DSA algorithm. A Composite ML-DSA algorithm might use additional digest algorithms for the internal component algorithms, these digest algorithms are irrelevant to Composite ML-DSA's use in CMS. Ounsworth, et al. Expires 25 July 2026 [Page 5] Internet-Draft Composite ML-DSA CMS January 2026 3.2. SignedData digestAlgorithms The SignedData digestAlgorithms field includes the identifiers of the message digest algorithms used by one or more signer. There MAY be any number of elements in the collection, including zero. When signing with a Composite ML-DSA algorithm, the list of identifiers MAY include a digest algorithm from Table 1. The digest algorithm(s) included will depend on the Composite ML-DSA algorithm(s) used for signing. If such a digest algorithm is present, the algorithm parameters field MUST be absent. 3.3. Signature Generation and Verification [RFC5652] describes the two methods that are used to calculate and verify signatures in the CMS. One method is used when signed attributes are present in the signedAttrs field of the relevant SignerInfo, and another is used when signed attributes are absent. Use of signed attributes is preferred, but the conventions for signed-data without signed attributes is also described below for completeness. When signed attributes are absent, Composite ML-DSA signatures are computed over the content of the signed-data. As described in Section 5.4 of [RFC5652], the "content" of a signed-data is the value of the encapContentInfo eContent OCTET STRING. The tag and length octets are not included. When signed attributes are included, Composite ML-DSA signatures are computed over the complete DER encoding of the SignedAttrs value contained in the SignerInfo's signedAttrs field. As described in Section 5.4 of [RFC5652], this encoding includes the tag and length octets, but an EXPLICIT SET OF tag is used rather than the IMPLICIT [0] tag that appears in the final message. At a minimum, the signedAttrs field MUST include a content-type attribute and a message-digest attribute. The message-digest attribute contains a hash of the content of the signed-data, where the content is as described for the absent signed attributes case above. Recalculation of the hash value by the recipient is an important step in signature verification. Composite ML-DSA has a context string input that can be used to ensure that different signatures are generated for different application contexts. When using Composite ML-DSA as specified in this document, the context string is set to the empty string. Ounsworth, et al. Expires 25 July 2026 [Page 6] Internet-Draft Composite ML-DSA CMS January 2026 3.4. SignerInfo Content When using Composite ML-DSA, the fields of a SignerInfo are used as follows: digestAlgorithm: Per Section 5.3 of [RFC5652], the digestAlgorithm field identifies the message digest algorithm used by the signer and any associated parameters. This MUST be the same digest algorithm used by the Composite ML-DSA algorithm. Per [RFC8933], if the signedAttrs field is present in the SignerInfo, then the same digest algorithm MUST be used to compute both the digest of the SignedData encapContentInfo eContent, which is carried in the message-digest attribute, and the digest of the DER-encoded signedAttrs, which is passed to the signature algorithm. See Table 1 for exact algorithm mappings. [RFC5754] defines the use of SHA-256 [FIPS180] (id-sha256) and SHA-512 [FIPS180] (id-sha512) in CMS. [RFC8702] defines the used of SHAKE256 [FIPS202] in CMS (id-shake256). When id-sha256 or id- sha512 is used, the parameters field MUST be omitted. When id- shake256 is used the parameters field MUST be omitted and the digest length MUST be 64 bytes. Ounsworth, et al. Expires 25 July 2026 [Page 7] Internet-Draft Composite ML-DSA CMS January 2026 +=========================================+===================+ | Signature Algorithm | Digest Algorithms | +=========================================+===================+ | id-MLDSA44-RSA2048-PSS-SHA256 | id-sha256 | +-----------------------------------------+-------------------+ | id-MLDSA44-RSA2048-PKCS15-SHA256 | id-sha256 | +-----------------------------------------+-------------------+ | id-MLDSA44-Ed25519-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA44-ECDSA-P256-SHA256 | id-sha256 | +-----------------------------------------+-------------------+ | id-MLDSA65-RSA3072-PSS-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-RSA3072-PKCS15-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-RSA4096-PSS-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-RSA4096-PKCS15-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-ECDSA-P256-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-ECDSA-P384-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA65-Ed25519-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA87-ECDSA-P384-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA87-Ed448-SHAKE256 | id-shake256 | +-----------------------------------------+-------------------+ | id-MLDSA87-RSA3072-PSS-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA87-RSA4096-PSS-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ | id-MLDSA87-ECDSA-P521-SHA512 | id-sha512 | +-----------------------------------------+-------------------+ Table 1: Digest Algorithms for Composite ML-DSA signatureAlgorithm: The signatureAlgorithm field MUST contain one of the Composite ML-DSA signature algorithm OIDs, and the parameters field MUST be absent. The algorithm OID MUST be one of the OIDs described in Section 2. signature: The signature field contains the signature value Ounsworth, et al. Expires 25 July 2026 [Page 8] Internet-Draft Composite ML-DSA CMS January 2026 resulting from the use of the Composite ML-DSA signature algorithm identified by the signatureAlgorithm field. The Composite ML-DSA signature-generation operation is specified in Section 4.2 of [I-D.ietf-lamps-pq-composite-sigs], and the signature-verification operation is specified in Section 4.3 of [I-D.ietf-lamps-pq-composite-sigs]. Note that Section 5.6 of [RFC5652] places further requirements on the successful verification of a signature. 4. ASN.1 Module Composite-MLDSA-CMS-2026 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-composite-mldsa-cms-2026(TBDMOD) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS SIGNATURE-ALGORITHM, SMIME-CAPS FROM AlgorithmInformation-2009 -- [RFC5911] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } sa-MLDSA44-RSA2048-PSS-SHA256, sa-MLDSA44-RSA2048-PKCS15-SHA256, sa-MLDSA44-Ed25519-SHA512, sa-MLDSA44-ECDSA-P256-SHA256, sa-MLDSA65-RSA3072-PSS-SHA512, sa-MLDSA65-RSA3072-PKCS15-SHA512, sa-MLDSA65-RSA4096-PSS-SHA512, sa-MLDSA65-RSA4096-PKCS15-SHA512, sa-MLDSA65-ECDSA-P256-SHA512, sa-MLDSA65-ECDSA-P384-SHA512, sa-MLDSA65-ECDSA-brainpoolP256r1-SHA512, sa-MLDSA65-Ed25519-SHA512, sa-MLDSA87-ECDSA-P384-SHA512, sa-MLDSA87-ECDSA-brainpoolP384r1-SHA512, sa-MLDSA87-Ed448-SHAKE256, sa-MLDSA87-RSA3072-PSS-SHA512, sa-MLDSA87-RSA4096-PSS-SHA512, sa-MLDSA87-ECDSA-P521-SHA512 FROM Composite-MLDSA-2025 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-composite-mldsa-2025(TBDCompositeMOD) } ; -- -- Expand the signature algorithm set used by CMS [RFC5911] -- SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= { Ounsworth, et al. Expires 25 July 2026 [Page 9] Internet-Draft Composite ML-DSA CMS January 2026 sa-MLDSA44-RSA2048-PSS-SHA256 | sa-MLDSA44-RSA2048-PKCS15-SHA256 | sa-MLDSA44-Ed25519-SHA512 | sa-MLDSA44-ECDSA-P256-SHA256 | sa-MLDSA65-RSA3072-PSS-SHA512 | sa-MLDSA65-RSA3072-PKCS15-SHA512 | sa-MLDSA65-RSA4096-PSS-SHA512 | sa-MLDSA65-RSA4096-PKCS15-SHA512 | sa-MLDSA65-ECDSA-P256-SHA512 | sa-MLDSA65-ECDSA-P384-SHA512 | sa-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | sa-MLDSA65-Ed25519-SHA512 | sa-MLDSA87-ECDSA-P384-SHA512 | sa-MLDSA87-ECDSA-brainpoolP384r1-SHA512 | sa-MLDSA87-Ed448-SHAKE256 | sa-MLDSA87-RSA3072-PSS-SHA512 | sa-MLDSA87-RSA4096-PSS-SHA512 | sa-MLDSA87-ECDSA-P521-SHA512, ... } -- -- Expand the S/MIME capabilities set used by CMS [RFC5911] -- SMimeCaps SMIME-CAPS ::= { sa-MLDSA44-RSA2048-PSS-SHA256.&smimeCaps | sa-MLDSA44-RSA2048-PKCS15-SHA256.&smimeCaps | sa-MLDSA44-Ed25519-SHA512.&smimeCaps | sa-MLDSA44-ECDSA-P256-SHA256.&smimeCaps | sa-MLDSA65-RSA3072-PSS-SHA512.&smimeCaps | sa-MLDSA65-RSA3072-PKCS15-SHA512.&smimeCaps | sa-MLDSA65-RSA4096-PSS-SHA512.&smimeCaps | sa-MLDSA65-RSA4096-PKCS15-SHA512.&smimeCaps | sa-MLDSA65-ECDSA-P256-SHA512.&smimeCaps | sa-MLDSA65-ECDSA-P384-SHA512.&smimeCaps | sa-MLDSA65-ECDSA-brainpoolP256r1-SHA512.&smimeCaps | sa-MLDSA65-Ed25519-SHA512.&smimeCaps | sa-MLDSA87-ECDSA-P384-SHA512.&smimeCaps | sa-MLDSA87-ECDSA-brainpoolP384r1-SHA512.&smimeCaps | sa-MLDSA87-Ed448-SHAKE256.&smimeCaps | sa-MLDSA87-RSA3072-PSS-SHA512.&smimeCaps | sa-MLDSA87-RSA4096-PSS-SHA512.&smimeCaps | sa-MLDSA87-ECDSA-P521-SHA512.&smimeCaps, ... } END Ounsworth, et al. Expires 25 July 2026 [Page 10] Internet-Draft Composite ML-DSA CMS January 2026 5. IANA Considerations IANA is requested to allocate a value from the "SMI Security for PKIX Module Identifier" registry for the included ASN.1 module. * Decimal: IANA Assigned - *Replace TBDCompositeMOD* * Description: Composite-Signatures-CMS-2026 - id-mod-composite- mldsa-cms-2026 * References: This Document 6. Security Considerations All security considerations from [I-D.ietf-lamps-pq-composite-sigs] apply. Security of the Composite ML-DSA private key is critical. Compromise of the private key will enable an adversary to forge arbitrary signatures. Composite ML-DSA depends on high-quality random numbers that are suitable for use in cryptography. The use of inadequate pseudo- random number generators (PRNGs) to generate such values can significantly undermine the security properties offered by a cryptographic algorithm. For instance, an attacker may find it much easier to reproduce the PRNG environment that produced any private keys, searching the resulting small set of possibilities, rather than brute-force searching the whole key space. The generation of random numbers of a sufficient level of quality for use in cryptography is difficult; see Section 3.6.1 of [FIPS204] for some additional information. To avoid algorithm substitution attacks, the CMSAlgorithmProtection attribute defined in [RFC6211] SHOULD be included in signed attributes. 7. References 7.1. Normative References [FIPS180] "Secure hash standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.180-4, 2015, . Ounsworth, et al. Expires 25 July 2026 [Page 11] Internet-Draft Composite ML-DSA CMS January 2026 [FIPS202] "SHA-3 standard :: permutation-based hash and extendable- output functions", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.202, 2015, . [FIPS204] "Module-lattice-based digital signature standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.204, August 2024, . [I-D.ietf-lamps-pq-composite-sigs] Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite ML-DSA for use in X.509 Public Key Infrastructure", Work in Progress, Internet-Draft, draft- ietf-lamps-pq-composite-sigs-14, 7 January 2026, . [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, DOI 10.17487/RFC5911, June 2010, . [RFC8933] Housley, R., "Update to the Cryptographic Message Syntax (CMS) for Algorithm Identifier Protection", RFC 8933, DOI 10.17487/RFC8933, October 2020, . [RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January 2010, . Ounsworth, et al. Expires 25 July 2026 [Page 12] Internet-Draft Composite ML-DSA CMS January 2026 [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)", RFC 8702, DOI 10.17487/RFC8702, January 2020, . [RFC6211] Schaad, J., "Cryptographic Message Syntax (CMS) Algorithm Identifier Protection Attribute", RFC 6211, DOI 10.17487/RFC6211, April 2011, . 7.2. Informative References [X680] ITU-T, "Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation", ITU-T Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, . [RFC9794] Driscoll, F., Parsons, M., and B. Hale, "Terminology for Post-Quantum Traditional Hybrid Schemes", RFC 9794, DOI 10.17487/RFC9794, June 2025, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, . [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . [RFC9882] Salter, B., Raine, A., and D. Van Geest, "Use of the ML- DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)", RFC 9882, DOI 10.17487/RFC9882, October 2025, . [RFC8411] Schaad, J. and R. Andrews, "IANA Registration for the Cryptographic Algorithm Object Identifier Range", RFC 8411, DOI 10.17487/RFC8411, August 2018, . Appendix A. Examples This appendix contains an example signed-data encoding with the id- MLDSA65-ECDSA-P256-SHA512 signature algorithm. Ounsworth, et al. Expires 25 July 2026 [Page 13] Internet-Draft Composite ML-DSA CMS January 2026 It can be verified using the example public keys and certificates specified in Appendix E of [I-D.ietf-lamps-pq-composite-sigs]. Specifically, the following example: * tcId: id-MLDSA65-ECDSA-P256-SHA512 * x5c: Base64 of the DER encoding of the certificate. Wrap this in PEM headers and footers to get a PEM certificate. To keep example size down, the signing certificate is not included in the CMS encoding. The example certificate from [I-D.ietf-lamps-pq-composite-sigs] used to sign the CMS content is self-signed. The following is an example of a signed-data with a single id- MLDSA65-ECDSA-P256-SHA512 signer, with signed attributes included: -----BEGIN CMS----- MIIOxQYJKoZIhvcNAQcCoIIOtjCCDrICAQExDTALBglghkgBZQMEAgMwVgYJKoZI hvcNAQcBoEkER2lkLU1MRFNBNjUtRUNEU0EtUDI1Ni1TSEE1MTIgc2lnbmVkLWRh dGEgZXhhbXBsZSB3aXRoIHNpZ25lZCBhdHRyaWJ1dGVzMYIORDCCDkACAQEwXjBG MQ0wCwYDVQQKDARJRVRGMQ4wDAYDVQQLDAVMQU1QUzElMCMGA1UEAwwcaWQtTUxE U0E2NS1FQ0RTQS1QMjU2LVNIQTUxMgIUW0MoLO0np7/Ch09mfDIxAm9wH3AwCwYJ YIZIAWUDBAIDoIGJMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN AQkFMQ8XDTI2MDEyMTIwMzkyMFowTwYJKoZIhvcNAQkEMUIEQIjYc0f2iK/i/r30 83ouERXhQHSSXulhH8t6jiLSUlMK6EbW5xNFsnRLbVI9PYdOvhVLqKaooVBrbVvx iZPIX00wCgYIKwYBBQUHBi0Egg00EkQcFLL9GAh5+6zNBEQDr4xPJjTZjEgwgf0E 5kXiNLtzPJ0GMzrL/cUJz8LMhEEm1HMtLDWc3JOwSH5s5WyFRNSr9jhbDcwzHFDd dZO3mAFBibQphfec+yU4E5CtDwBKR1yL0s4FjAQ2PuXVqRoxBy2z7fxCGrksY6C7 Zpesxy65vqnkTKmc2FF8D97Y+VsySeACY+3ZzTDZ1jEIApTzqqTiKy5mLpHeJ002 b4tdTtVdXa7JZT2bKlQwtSwOVnPEPfViCbCBklaH0K8oo+fGst6Xq+vd41V+XrLp rPwned8k9ck8zJZq3YfVXzYxTwbpBjMiMyaMch0fs+umxe1ItgFZ3fJ5pI7Shiw+ j2ec7W7w1fmsXzF0ltk2wDwxIZF8g0qAiH3SOx7Gs2hfQnb0V9zhbjPt2NHiTM7r QTTwvdPhxDQWl8uBcasPxOIDHnjrlcveghpXWgtSJAVm4wCTK55PXBshE2jFtbcC xwXenC2pds4eH8J+zNwUeL9VTZg+l8WkXHvai7aFMlaWBSZK0fceBM/rIwAOP1gL pBaurCr8nRxcjV7OKVDoRT+mEFPAjgk6Egyz+N1Pn8rjsY89aVizA7yIZmPU8qbG BkBCVoJbqWYaHFY1wS+qFB9dIdOXK6rvqx1PO3yaAn8Yy1Sg3Wogie5m23hqysB+ j+G/VFwTBVc4DZTBPaHI7sPLEgCJGVX4saGhWjY7uUbK6VXTZxWrBmXUS3nka7OV ZERgaIXlIBNYDEPAEClj6l4/WXhZOcA1HlnxEwvr+/4XyTWuOv9jFZL5W7qb7sEw ug17x7xFVd5YZHvQtWkizGgAKjQj7oMjdF17vbnrTgowCOUpSnlCjJrWz5qst3r8 Mnjr0mFwv1Yv9S06EcCY62Bmks0eElfwwZAv8Je2IVtTidPft7AtdCg1o5Fjz4Ts n4FbJ/quccY5e0g3FHjSRMXepW2nSov1yQuA9M+KNi0fllJLQDMg2yY3g7j5QReN S1ue6/A2i0wsFLaRLOWsLyF0lZVf1VdLxI2UaxwQQOREHb9EXI4mgVKX76vyrvt1 tWO6yYlsNPeQ5+f4QiF2KSYo7/Gysb6fjOuLfT1s2mysefNNVSLXsfGM5ZGoSh1l 2veiQsLEGGqQ22b11ICzrzkzbCiM1SLFC41/4Dr8d0R/cSCEBAkOG0m16lHbkt16 J169myt5mBljy3s5QnRYEJqAFymimWerSsgwS/N8Mhem71QbM/0CZLHIXx1H91dO dW9ZqLUfkuzN1RInouGNKPG7sW84eSWqrwc1JD4AKSs3lZQ+pUgF2DDl04Lc4ZN+ qjM5lTsuax5G3ywhfTvZVaKJL79u7f/2Wt9hZRNqc8NbsxkIpZ4HDrkclSJ6j/f4 Ounsworth, et al. Expires 25 July 2026 [Page 14] Internet-Draft Composite ML-DSA CMS January 2026 C8fbhL5meVLHZ4dl2ZoVxcvQGNFA2NQMwlc3dlaEwRWDr4Mz8vTeBENt0Pzd5aW6 sLUuG3KWf95ONJFj0maO50RMPCRe8gnS/A2gR3tVp0+BVuJeD0DV8qGtaZScrtXr eVRnvbeSfE5lxmOxji1UZ6rKxxQuzXjM8bY42fNqOktERXPCPewG+mBYfo0L+M1v dmeRo4YKfye6HqeVBoVB7uIzB4TlGgFSMI+aLEYU9+lvXxbn9XxkKqj/Nxkuo4qi qqmqO95Fpwhb86OmfJQ0xpR1d0o30eGysaj0Ii7u5VT5ni2gJCvblgL26QT8KfbL pvEYZbq7RbsB/cbd9ldkAwVuTNkRWmyxeLr8SWuO7Uk3okAkJKTFn4zXUwUrgHLO lH0xkfsWTvZBGqTNOMkc5hLeZnticjd4Agn60dMgybWWZ0NOl50xgwTbtZlh5dV9 xr6+CVZmYhAcB1srIS+4HF37KHm0O+c7bUDXvzGPNyt2DOz1UcnrJBcIhDU1iLvL Yu8FMAdKlncqMRcO2C3KgpqpRMKQrOnwSuPqPHfiFAIuB2gdUDn1ob/+XqZ4UANR nZHmXfn+n2bH+eT8EcEZ1XjeLyFeyJHRDR0aZyE0dKJyVA9a569YwHQYTpKVMEPp 9RtolkNBlMZYpQwvwhlg1Rcry4v6WamXKaagbOc3QQ48nNdZIyUFTiFAhGPReABe uwVTUhFFNm0hqzcy7AKohg6ZPhYLdxrkfR3Q0bjMZvs6rqa17VvyzxQt0HDgZCJO 9H/X1BsOBnYlpjcnoU8WLPPKgOE/Nfvtipx8pC2V5Iq5v6ui7jHZ6G1TobI1x7ar OIm5+nR0gS5R7gWx1UH4esEaVGDxkLOkTV1kxwq3BzRnl2LUrulod1sLVu1y/mVP +g/uBq+G3lTWj486rTVCvqWj+P7iZXgsESobx7kMNlvCTeDaUPdAf4w0UHAa0tBH eEkH0Piz08/iaWHD0uZ6tkQ1OpY3GxmWcvqol541X3EXJ5pdQA7DUz+2+KwqvzcN wU799hOjHnxOXWc1+BWNVW4M4T/L2Y07+CW7KaKvH6Tq434aWeD0VhfuYCVioW7F XO2yS9amsCuCcaw/nxSbMmdTEFt65ceLo22q57TtugbQCS5gECZKqA2vcyEKs+gd Dx1HGS/9O3Xf9VpYvEaNW5NZib044A3gXRZbq3ndN2cZyUo3FF/XwsfPXrarBZug xw7vnbdmdKkLb9Ig5nT0ZXZQV9cK5e6iUfbWR3s6+LvGPqSbiA1DQLM5A0tdybCD yOBvuvTRsBJqUe13D9ypFnp3rut1LWdf8ZSxXVCwQVVGjyT1S//AsHVvGNGFQ8WD U07fl37Qc9CD/HK12mdBRv/QQw3iMAD5hxHmz74bGIKmuNmsPPtcs/Itfmxovsuj cPgwHsah8KgdSQv2somK9tx/Ba5iC9nLtm8DV3BPpUx55sv23lvVO5T+5PHl+XAK TYedCVBsEfsQK4RlMbuRx3kFHO9FKGun/vAzEqxmTGr6alWmAtoyLJ7ZDEXrTZK+ ELduqCvwIHZ5Hoh6HzWLPzDma+JMK5X/BBVpKoBu0TvQl8x59En1+NYfHFFcl1Mi jkQDHGlB56LBMXtwyJDn6iG52skJTzdNsFh3V4CgJSC8HXrmefPws1UGt0uXVNBC EMUmSZTGBIA0Uw8tLBW9rBbklbBE3q+nU6fKASE4Yq2t+9eU5rLnMT51xfuXXVxD KPBU2M0XPYJKVFwUIqa5KX4cJiMNnfupIVHZA1JXrz5tXNFmUhQcbtMl9sWBdPE+ vKwAnToBD3JYI68CURKGb8nkxJLT08Psmjz9gqYWJSJxlUyLsaCbrYz8vWivSFBn cGw2hOYpwrmvwNrK+JehlcflRO3EPcUJYI7NRHt8soSV4J6LhrAWWXjQJKu7D12P 4KAStIulBHsyDbVm/Wm6lYbYnGOSWih7zxMhdNDU0tvls1whpZg3fod6mJ6crNcP tKUjmlSf/MGrfsstwW7LiMwvkerA5HdhTLA9tZp+WmqJ9LSRhTOkXFlQwnZFlN3R UVUIysYdH8qi/OjNdvDh0xp7Kanf1bIquMTPbg5sdJNKCVUjYLZ21aP3D2vHDDW9 CrN3KcFgd+uQUaEvWdr0VgJaK8VNFtH+5jZOdPyQjJGy2Gp4t53FtELeaQtNZmbC mL07uESIO78AoDXdVN+G3q56OoaYvhAkOjUXnqTxlIyRpRrZycxg3yqYwKRrMkWs EoqWdmqh8zsInNTGYsAdo+Dol7pY9Smk2nMVPRZHTDCmoNCdezrzFN5K0RydBwMK ozvfSkBEkW7UqahNU3BhtpkBX72YYcHMYWMZNI77rYWRDjL99c9rMQ9LRuynYGF5 KD2jMf9NLkelelJ8g93JTRY1AdKs1viOvQ3j/lLjuen8B420Pb0ueLJSiQr+dego C+jN4qM4auC4W+zwxxbnTviSUDPPxKGSIEFrLrQqVfxqUrXI/KYB1KgLl8Se4p50 Ho/58ZYcr3kKuAJ8QVJAX0cQCyqio9jyJUZDb9Cc85GNp61B8UghTqfgOReuFAd8 dvXz20ZLfTxXghljKrv/bWRSjVF2X7hLihOiaNQJAgx+pFXaehh5lTdFckUMDzLU 1J8ktL6m6VhcdRh9enogOLkvr4DM4o/1j48fIgPIurtYX+kKuxWRL088y7wsU4np awjk+6c8Uy7q4NdrhuwME1fBeRy1LxsAaMMK2M8ONTIriCgbQnJfEN4WL0ir+iqB wb5hzXLqXJlxz1Wnfs5ZR9L3OhQ1h9sIeihfFfNWnoLlF0q2pMnEMgLv+Mcbx7xQ ZFCjOjnWQEKedzt9jM+V+Nql1nQCdZfnfgm2AvnCWLyeqID4HT1wV0mvWyLKFSto SmjV2pEFxtYGftq12sD68w2VzBzn1SyGSwTva0hFn1KntRoVGXjAi17V9i3lrgCU wrbiH8QjLdbX5wAab36iusocbo6Wve3zQ2yd0uwGFihITTk8VX3d7/QAAAAAAAAA AAAAAAAAAAAAAAAABQwTGB0kMEUCIQCutiFHcWBuVepcqbpkStOw7ngMGdeqAx4P Ounsworth, et al. Expires 25 July 2026 [Page 15] Internet-Draft Composite ML-DSA CMS January 2026 pWoMuOAdkAIgXpG9PLXn/nqA6YMPvNnIi7zQDA3ucqzgF7pkjMN+CrY= -----END CMS----- SEQUENCE { # signedData OBJECT_IDENTIFIER { 1.2.840.113549.1.7.2 } [0] { SEQUENCE { INTEGER { 1 } SET { SEQUENCE { # sha512 OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } } } SEQUENCE { # data OBJECT_IDENTIFIER { 1.2.840.113549.1.7.1 } [0] { OCTET_STRING { "id-MLDSA65-ECDSA-P256-SHA512 signed-da ta example with signed attributes" } } } SET { SEQUENCE { INTEGER { 1 } SEQUENCE { SEQUENCE { SET { SEQUENCE { # organizationName OBJECT_IDENTIFIER { 2.5.4.10 } UTF8String { "IETF" } } } SET { SEQUENCE { # organizationUnitName OBJECT_IDENTIFIER { 2.5.4.11 } UTF8String { "LAMPS" } } } SET { SEQUENCE { # commonName OBJECT_IDENTIFIER { 2.5.4.3 } UTF8String { "id-MLDSA65-ECDSA-P256-SHA512" } } Ounsworth, et al. Expires 25 July 2026 [Page 16] Internet-Draft Composite ML-DSA CMS January 2026 } } INTEGER { `5b43282ced27a7bfc2874f667c3231026f701f70` } } SEQUENCE { # sha512 OBJECT_IDENTIFIER { 2.16.840.1.101.3.4.2.3 } } [0] { SEQUENCE { # contentType OBJECT_IDENTIFIER { 1.2.840.113549.1.9.3 } SET { # data OBJECT_IDENTIFIER { 1.2.840.113549.1.7.1 } } } SEQUENCE { # signingTime OBJECT_IDENTIFIER { 1.2.840.113549.1.9.5 } SET { UTCTime { "260121203920Z" } } } SEQUENCE { # messageDigest OBJECT_IDENTIFIER { 1.2.840.113549.1.9.4 } SET { OCTET_STRING { `88d87347f688afe2febdf4f37a2e1115 e14074925ee9611fcb7a8e22d252530ae846d6e71345b2744b6d523d3d874ebe 154ba8a6a8a1506b6d5bf18993c85f4d` } } } } SEQUENCE { OBJECT_IDENTIFIER { 1.3.6.1.5.5.7.6.45 } } OCTET_STRING { `12441c14b2fd180879fbaccd044403af8c4f26 34d98c483081fd04e645e234bb733c9d06333acbfdc509cfc2cc844126d4732d 2c359cdc93b0487e6ce56c8544d4abf6385b0dcc331c50dd7593b798014189b4 2985f79cfb25381390ad0f004a475c8bd2ce058c04363ee5d5a91a31072db3ed fc421ab92c63a0bb6697acc72eb9bea9e44ca99cd8517c0fded8f95b3249e002 63edd9cd30d9d631080294f3aaa4e22b2e662e91de274d366f8b5d4ed55d5dae c9653d9b2a5430b52c0e5673c43df56209b081925687d0af28a3e7c6b2de97ab ebdde3557e5eb2e9acfc2779df24f5c93ccc966add87d55f36314f06e9063322 33268c721d1fb3eba6c5ed48b60159ddf279a48ed2862c3e8f679ced6ef0d5f9 ac5f317496d936c03c3121917c834a80887dd23b1ec6b3685f4276f457dce16e Ounsworth, et al. Expires 25 July 2026 [Page 17] Internet-Draft Composite ML-DSA CMS January 2026 33edd8d1e24cceeb4134f0bdd3e1c4341697cb8171ab0fc4e2031e78eb95cbde 821a575a0b52240566e300932b9e4f5c1b211368c5b5b702c705de9c2da976ce 1e1fc27eccdc1478bf554d983e97c5a45c7bda8bb68532569605264ad1f71e04 cfeb23000e3f580ba416aeac2afc9d1c5c8d5ece2950e8453fa61053c08e093a 120cb3f8dd4f9fcae3b18f3d6958b303bc886663d4f2a6c606404256825ba966 1a1c5635c12faa141f5d21d3972baaefab1d4f3b7c9a027f18cb54a0dd6a2089 ee66db786acac07e8fe1bf545c130557380d94c13da1c8eec3cb1200891955f8 b1a1a15a363bb946cae955d36715ab0665d44b79e46bb3956444606885e52013 580c43c0102963ea5e3f59785939c0351e59f1130bebfbfe17c935ae3aff6315 92f95bba9beec130ba0d7bc7bc4555de58647bd0b56922cc68002a3423ee8323 745d7bbdb9eb4e0a3008e5294a79428c9ad6cf9aacb77afc3278ebd26170bf56 2ff52d3a11c098eb606692cd1e1257f0c1902ff097b6215b5389d3dfb7b02d74 2835a39163cf84ec9f815b27faae71c6397b48371478d244c5dea56da74a8bf5 c90b80f4cf8a362d1f96524b403320db263783b8f941178d4b5b9eebf0368b4c 2c14b6912ce5ac2f217495955fd5574bc48d946b1c1040e4441dbf445c8e2681 5297efabf2aefb75b563bac9896c34f790e7e7f8422176292628eff1b2b1be9f 8ceb8b7d3d6cda6cac79f34d5522d7b1f18ce591a84a1d65daf7a242c2c4186a 90db66f5d480b3af39336c288cd522c50b8d7fe03afc77447f71208404090e1b 49b5ea51db92dd7a275ebd9b2b79981963cb7b39427458109a801729a29967ab 4ac8304bf37c3217a6ef541b33fd0264b1c85f1d47f7574e756f59a8b51f92ec cdd51227a2e18d28f1bbb16f387925aaaf0735243e00292b3795943ea54805d8 30e5d382dce1937eaa3339953b2e6b1e46df2c217d3bd955a2892fbf6eedfff6 5adf6165136a73c35bb31908a59e070eb91c95227a8ff7f80bc7db84be667952 c7678765d99a15c5cbd018d140d8d40cc25737765684c11583af8333f2f4de04 436dd0fcdde5a5bab0b52e1b72967fde4e349163d2668ee7444c3c245ef209d2 fc0da0477b55a74f8156e25e0f40d5f2a1ad69949caed5eb795467bdb7927c4e 65c663b18e2d5467aacac7142ecd78ccf1b638d9f36a3a4b444573c23dec06fa 60587e8d0bf8cd6f766791a3860a7f27ba1ea795068541eee2330784e51a0152 308f9a2c4614f7e96f5f16e7f57c642aa8ff37192ea38aa2aaa9aa3bde45a708 5bf3a3a67c9434c69475774a37d1e1b2b1a8f4222eeee554f99e2da0242bdb96 02f6e904fc29f6cba6f11865babb45bb01fdc6ddf6576403056e4cd9115a6cb1 78bafc496b8eed4937a2402424a4c59f8cd753052b8072ce947d3191fb164ef6 411aa4cd38c91ce612de667b627237780209fad1d320c9b59667434e979d3183 04dbb59961e5d57dc6bebe09566662101c075b2b212fb81c5dfb2879b43be73b 6d40d7bf318f372b760cecf551c9eb24170884353588bbcb62ef0530074a9677 2a31170ed82dca829aa944c290ace9f04ae3ea3c77e214022e07681d5039f5a1 bffe5ea6785003519d91e65df9fe9f66c7f9e4fc11c119d578de2f215ec891d1 0d1d1a67213474a272540f5ae7af58c074184e92953043e9f51b6896434194c6 58a50c2fc21960d5172bcb8bfa59a99729a6a06ce737410e3c9cd7592325054e 21408463d178005ebb0553521145366d21ab3732ec02a8860e993e160b771ae4 7d1dd0d1b8cc66fb3aaea6b5ed5bf2cf142dd070e064224ef47fd7d41b0e0676 25a63727a14f162cf3ca80e13f35fbed8a9c7ca42d95e48ab9bfaba2ee31d9e8 6d53a1b235c7b6ab3889b9fa7474812e51ee05b1d541f87ac11a5460f190b3a4 4d5d64c70ab70734679762d4aee968775b0b56ed72fe654ffa0fee06af86de54 d68f8f3aad3542bea5a3f8fee265782c112a1bc7b90c365bc24de0da50f7407f 8c3450701ad2d047784907d0f8b3d3cfe26961c3d2e67ab644353a96371b1996 72faa8979e355f7117279a5d400ec3533fb6f8ac2abf370dc14efdf613a31e7c 4e5d6735f8158d556e0ce13fcbd98d3bf825bb29a2af1fa4eae37e1a59e0f456 Ounsworth, et al. Expires 25 July 2026 [Page 18] Internet-Draft Composite ML-DSA CMS January 2026 17ee602562a16ec55cedb24bd6a6b02b8271ac3f9f149b326753105b7ae5c78b a36daae7b4edba06d0092e6010264aa80daf73210ab3e81d0f1d47192ffd3b75 dff55a58bc468d5b935989bd38e00de05d165bab79dd376719c94a37145fd7c2 c7cf5eb6ab059ba0c70eef9db76674a90b6fd220e674f465765057d70ae5eea2 51f6d6477b3af8bbc63ea49b880d4340b339034b5dc9b083c8e06fbaf4d1b012 6a51ed770fdca9167a77aeeb752d675ff194b15d50b04155468f24f54bffc0b0 756f18d18543c583534edf977ed073d083fc72b5da674146ffd0430de23000f9 8711e6cfbe1b1882a6b8d9ac3cfb5cb3f22d7e6c68becba370f8301ec6a1f0a8 1d490bf6b2898af6dc7f05ae620bd9cbb66f0357704fa54c79e6cbf6de5bd53b 94fee4f1e5f9700a4d879d09506c11fb102b846531bb91c779051cef45286ba7 fef03312ac664c6afa6a55a602da322c9ed90c45eb4d92be10b76ea82bf02076 791e887a1f358b3f30e66be24c2b95ff0415692a806ed13bd097cc79f449f5f8 d61f1c515c9753228e44031c6941e7a2c1317b70c890e7ea21b9dac9094f374d b058775780a02520bc1d7ae679f3f0b35506b74b9754d04210c5264994c60480 34530f2d2c15bdac16e495b044deafa753a7ca01213862adadfbd794e6b2e731 3e75c5fb975d5c4328f054d8cd173d824a545c1422a6b9297e1c26230d9dfba9 2151d9035257af3e6d5cd16652141c6ed325f6c58174f13ebcac009d3a010f72 5823af025112866fc9e4c492d3d3c3ec9a3cfd82a616252271954c8bb1a09bad 8cfcbd68af485067706c3684e629c2b9afc0dacaf897a195c7e544edc43dc509 608ecd447b7cb28495e09e8b86b0165978d024abbb0f5d8fe0a012b48ba5047b 320db566fd69ba9586d89c63925a287bcf132174d0d4d2dbe5b35c21a598377e 877a989e9cacd70fb4a5239a549ffcc1ab7ecb2dc16ecb88cc2f91eac0e47761 4cb03db59a7e5a6a89f4b4918533a45c5950c2764594ddd1515508cac61d1fca a2fce8cd76f0e1d31a7b29a9dfd5b22ab8c4cf6e0e6c74934a09552360b676d5 a3f70f6bc70c35bd0ab37729c16077eb9051a12f59daf456025a2bc54d16d1fe e6364e74fc908c91b2d86a78b79dc5b442de690b4d6666c298bd3bb844883bbf 00a035dd54df86deae7a3a8698be10243a35179ea4f1948c91a51ad9c9cc60df 2a98c0a46b3245ac128a96766aa1f33b089cd4c662c01da3e0e897ba58f529a4 da73153d16474c30a6a0d09d7b3af314de4ad11c9d07030aa33bdf4a4044916e d4a9a84d537061b699015fbd9861c1cc616319348efbad85910e32fdf5cf6b31 0f4b46eca7606179283da331ff4d2e47a57a527c83ddc94d163501d2acd6f88e bd0de3fe52e3b9e9fc078db43dbd2e78b252890afe75e8280be8cde2a3386ae0 b85becf0c716e74ef8925033cfc4a19220416b2eb42a55fc6a52b5c8fca601d4 a80b97c49ee29e741e8ff9f1961caf790ab8027c4152405f47100b2aa2a3d8f2 2546436fd09cf3918da7ad41f148214ea7e03917ae14077c76f5f3db464b7d3c 578219632abbff6d64528d51765fb84b8a13a268d409020c7ea455da7a187995 374572450c0f32d4d49f24b4bea6e9585c75187d7a7a2038b92faf80cce28ff5 8f8f1f2203c8babb585fe90abb15912f4f3ccbbc2c5389e96b08e4fba73c532e eae0d76b86ec0c1357c1791cb52f1b0068c30ad8cf0e35322b88281b42725f10 de162f48abfa2a81c1be61cd72ea5c9971cf55a77ece5947d2f73a143587db08 7a285f15f3569e82e5174ab6a4c9c43202eff8c71bc7bc506450a33a39d64042 9e773b7d8ccf95f8daa5d674027597e77e09b602f9c258bc9ea880f81d3d7057 49af5b22ca152b684a68d5da9105c6d6067edab5dac0faf30d95cc1ce7d52c86 4b04ef6b48459f52a7b51a151978c08b5ed5f62de5ae0094c2b6e21fc4232dd6 d7e7001a6f7ea2baca1c6e8e96bdedf3436c9dd2ec061628484d393c557dddef f400000000000000000000000000000000000000050c13181d243045022100ae b6214771606e55ea5ca9ba644ad3b0ee780c19d7aa031e0fa56a0cb8e01d9002 205e91bd3cb5e7fe7a80e9830fbcd9c88bbcd00c0dee72ace017ba648cc37e0a Ounsworth, et al. Expires 25 July 2026 [Page 19] Internet-Draft Composite ML-DSA CMS January 2026 b6` } } } } } } Acknowledgements The authors wish to thank Piotr Popis for his valuable feedback on this document. Thanks to the co-authors of [RFC9882], Ben Salter and Adam Raine, this document borrows heavily from that one. "Copying always makes things easier and less error prone" - [RFC8411]. Authors' Addresses Mike Ounsworth Entrust Limited 2500 Solandt Road – Suite 100 Ottawa, Ontario K2K 3G5 Canada Email: mike.ounsworth@entrust.com John Gray Entrust Limited 2500 Solandt Road – Suite 100 Ottawa, Ontario K2K 3G5 Canada Email: john.gray@entrust.com Jan Klaussner Bundesdruckerei GmbH Kommandantenstr. 18 10969 Berlin Germany Email: jan.klaussner@bdr.de Daniel Van Geest CryptoNext Security ‍16, Boulevard Saint-Germain 75007 Paris France Email: daniel.vangeest@cryptonext-security.com Ounsworth, et al. Expires 25 July 2026 [Page 20]