Internet X.509 Public Key Infrastructure: Algorithm Identifiers for SLH-DSA
draft-ietf-lamps-x509-slhdsa-09

[Ballot comment]
Thanks for the work done in this document.

Two minor changes in the abstract as this I-D has an intended status of "standard track".

s/This document *describes* the conventions.../This document *specifies* the conventions.../

s/... private keys are also *described*./... private keys are also *specified*./

[Ballot comment]
Thanks for this document. I have one comment.

On citing 4086, I actually agree with Theo de Raadt that this RFC is
too outdated to be a useful reference. See his message
https://mailarchive.ietf.org/arch/msg/ssh/OmzXAJ6X9TVMC62IJsrun3kReHs/

I would prefer the document does not cite it (and that the IESG takes
on 4086 to make it Historic)

[Ballot comment]
Thank you to Dale Worley for the GENART review.

** Section 5.  Given that there is normative guidance on how AlgorithmIdentifier should be used in this section, RFC5912 should be cited normatively.

[Ballot comment]
Hi Kaveh, Scott, Stefan-Lukas, Daniel, and Stavros,

Thanks for the effort put into this specification. Special thanks for supplying an Ops Considerations Section.

Thanks to Linda Dunbar for the OPSSIR review and Russ of the clarification.

# Generic comments

## A lot of duplicated text

I think that the specification can be simplified by removing a lot of duplicate text and simply reference appropriate docs, mainly draft-ietf-lamps-cms-sphincs-plus. This impacts Sections 3/5 in particular.

## Notation conventions

Please update your terminology section to explain the notation conventions for at least the following:

* ||

* id-slh-dsa-*

* id-hash-slh-dsa-*

# Introduction

## Small and Fast

CURRENT:
  SLH-DSA offers three security levels.  The parameters for each of the
  security levels were chosen to be at least as secure as a generic
  block cipher of 128, 192, or 256 bits.  There are small (s) and fast
  (f) versions of the algorithm, and the option to use the SHA2
  algorithm family [FIPS180] or SHAKE256 [FIPS202] as internal

Can we add some words about this characterization? Specifically, what does meant “small” and “fast” in this context?

## Assignments

CURRENT:
  Separate algorithm identifiers have been assigned for SLH-DSA for
  each combination of these security levels, fast vs small, SHA2 vs
  SHAKE256 and pure mode vs pre-hash mode.

Please indicate these are assigned by whom.

# Section 3

CURRENT:
  The contents of the parameters component for each algorithm MUST be
  absent.

Do we need to include this given that the text was copied from draft-ietf-lamps-cms-sphincs-plus and that spec already says:

Section 3 of draft-ietf-lamps-cms-sphincs-plus:
  The parameters field of the AlgorithmIdentifier for the
  SLH-DSA public key MUST be absent.

The same comment applies for a similar text in Section 4.

# Section 6

## At least one parameter

CURRENT:
  The intended application for the key is indicated in the keyUsage
  certificate extension; see Section 4.2.1.3 of [RFC5280].  If the
  keyUsage extension is present in a certificate that indicates an id-
  slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA)
  identifier in the SubjectPublicKeyInfo, then at least one of the
  following MUST be present:

      digitalSignature; or
      nonRepudiation; or
      keyCertSign; or
      cRLSign.


As we say “at least one the parameter, I guess, we need to change this part to be:

NEW:
  The intended application for the key is indicated in the keyUsage
  certificate extension; see Section 4.2.1.3 of [RFC5280].  If the
  keyUsage extension is present in a certificate that indicates an id-
  slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA)
  identifier in the SubjectPublicKeyInfo, then at least one of the
  following MUST be present:

      digitalSignature
      nonRepudiation
      keyCertSign
      cRLSign

Or similar. Otherwise, I don’t partse “at least” and “or” use here.

## No sure to parse the use of “or”

Maybe consider:

OLD:
  If the keyUsage extension is present in a certificate that indicates
  an id-slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA)
  identifier in the SubjectPublicKeyInfo, then the following MUST NOT
  be present:

      keyEncipherment; or
      dataEncipherment; or
      keyAgreement; or
      encipherOnly; or
      decipherOnly.

NEW:
CURRENT:
  If the keyUsage extension is present in a certificate that indicates
  an id-slh-dsa-* (Pure SLH-DSA) or id-hash-slh-dsa-* (HashSLH-DSA)
  identifier in the SubjectPublicKeyInfo, then the following MUST NOT
  be present:

      keyEncipherment,
      dataEncipherment,
      keyAgreement,
      encipherOnly, and
      decipherOnly.

# Section 8

## As some OIDs are assigned by US NIST, are there implications on the maintenance of the usage described in this spec?

## Section 9 has the following:

CURRENT:
  An SLH-DSA tree MUST NOT be used for more than 2^64 signing
  operations.

How is this tracked/ensured? Can this be covered in the Ops Cons section?

# Section 9: Mysterious SHOULD

CURRENT:
  Implementers SHOULD consider their particular use cases and may
  choose ….

  Likewise, implementers SHOULD consider their particular use cases and
  ….

I don’t understand what this concretely means or implies.

# IANA

CURRENT:
  For the ASN.1 Module in Appendix A of this document, IANA is
  requested to assign an object identifier (OID) for the module
  identifier (TBD1) with a Description of "id-mod-x509-slh-dsa-2024".
  The OID for the module should be allocated in the "SMI Security for
  PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).

I’m not familiar with the naming convention, but any reason why the final name module isn’t id-mod-x509-slh-dsa-2025?

# Appendix A: Note can be removed:

CURRENT:
      |  RFC EDITOR: Please replace TBD2 with the value assigned by IANA
      |  during the publication of [I-D.ietf-lamps-cms-sphincs-plus].
      |  Also please replace [I-D.ietf-lamps-cms-sphincs-plus]
      |  throughout this document with a reference to the published RFC.

…

      FROM SLH-DSA-Module-2024  -- in [I-D.ietf-lamps-cms-sphincs-plus]
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
        id-smime(16) id-mod(0) id-mod-slh-dsa-2024(TBD2) } ;

I think this can be updated to reflect the final assignment made for this.

Please update to use 81 per https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml and remove the RFC Editor note.

Cheers,
Med

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-x509-slhdsa-07. If any part of this review is inaccurate, please let us know.

The IANA understands that, upon approval of this document, there is a single action which we must complete.

In the SMI Security for PKIX Module Identifier registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

A single, new registration will be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-x509-slh-dsa-2024
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-05-22):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-x509-slhdsa@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Internet X.509 Public Key Infrastructure: Algorithm Identifiers for SLH-DSA) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Internet
X.509 Public Key Infrastructure: Algorithm Identifiers for
  SLH-DSA'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-05-22. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Digital signatures are used within X.509 Public Key Infrastructure
  such as X.509 certificates, Certificate Revocation Lists (CRLs), and
  to sign messages.  This document describes the conventions for using
  the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) in
  X.509 Public Key Infrastructure.  The conventions for the associated
  signatures, subject public keys, and private keys are also described.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-slhdsa/



No IPR declarations have been submitted directly on this I-D.

# Shepherd Write-up for draft-ietf-lamps-x509-slhdsa-06

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was some controversy about the inclusion of both pure mode and
  pre-hash mode.  It was resolved fairly quickly without any anger.  This
  document represents consensus.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise expressed disagreemnt.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, including the code that produced the examples in the
  document.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifiers that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    The authors have explicitly stated that they are unaware of any IPR that
    needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complaint about non-ASCII characters in the author of a reference,
    which of course, is completely fine.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All but one normative reference has already been published.  That one
    is in the RFC Editor queue.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.  It also depends on the assignment of an OID for
    the module identifier in [I-D.ietf-lamps-cms-sphincs-plus], which is
    already in the RFC Editor's queue.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.

# Shepherd Write-up for draft-ietf-lamps-x509-slhdsa-06

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was some controversy about the inclusion of both pure mode and
  pre-hash mode.  It was resolved fairly quickly without any anger.  This
  document represents consensus.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  No one has threatened an appeal or otherwise expressed disagreemnt.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, including the code that produced the examples in the
  document.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder values are inserted for the module
  identifiers that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    The authors have explicitly stated that they are unaware of any IPR that
    needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complaint about non-ASCII characters in the author of a reference,
    which of course, is completely fine.

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are no downward references.

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    All but one normative reference has already been published.  That one
    is in the RFC Editor queue.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.  It also depends on the assignment of an OID for
    the module identifier in [I-D.ietf-lamps-cms-sphincs-plus], which is
    already in the RFC Editor's queue.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.