I have read the draft. I have one pedantic request:
3.2. Handshake signature When one of those SignatureScheme values is used in a CertificateVerify message, then the signature MUST be computed and verified as specified in Section 4.4.3 of [RFC8446], and the corresponding end-entity certificate MUST use the corresponding AlgorithmIdentifier from Table 1. The corresponding end-entity certificate is using the corresponding AlgorithmIdentifier **in the SubjectPublicKeyInfo** (because whether it's used as the signatureAlgorithm is orthogonal to the handshake signature), but I think this text should be explicit. I suppose this same comment applies to the heading row of Table 1, "Certificate AlgorithmIdentifier" could be "Certificate SPKI AlgorithmIdentifier". ML-DSA uses the same OID for public keys as for signature algorithms, so it is important to specify which is being referred to. Apart from this, I think the draft is ready for publication. Daniel ________________________________ From: Sean Turner <[email protected]> Sent: Thursday, April 9, 2026 8:30 PM To: TLS List <[email protected]> Subject: [TLS] Working Group Last Call for Use of ML-DSA in TLS 1.3 This is the working group last call for Use of ML-DSA in TLS 1.3. Please review draft-ietf-tls-mldsa [1] and reply to this thread indicating if you think it is ready for publication or not. If you do not think it is ready please indicate why. This call will end on April 23, 2026. REMINDER: If you have not done so recently, review the TLS WG's Mail List Procedures; see [2]. The Chairs, Deirdre, Joe, and Sean [1] https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/ [2] https://mailarchive.ietf.org/arch/msg/tls/ucdImHExlbOf4Q3BCG81gjzi2xE/ _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
