<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-tls-mldsa-05" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Use of ML-DSA in TLS 1.3">Use of ML-DSA in TLS 1.3</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mldsa-05"/>
    <author fullname="Tim Hollebeek">
      <organization>DigiCert</organization>
      <address>
        <email>tim.hollebeek@digicert.com</email>
      </address>
    </author>
    <author fullname="Sophie Schmieg">
      <organization>Google</organization>
      <address>
        <email>sschmieg@google.com</email>
      </address>
    </author>
    <author initials="B. E." surname="Westerbaan" fullname="Bas Westerbaan">
      <organization>Cloudflare</organization>
      <address>
        <email>bas@cloudflare.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Transport Layer Security</workgroup>
    <keyword>ML-DSA</keyword>
    <keyword>FIPS204</keyword>
    <abstract>
      <?line 50?>

<t>This memo specifies how the post-quantum signature scheme ML-DSA (FIPS 204)
is used for authentication in TLS 1.3.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://tlswg.github.io/tls-mldsa/draft-ietf-tls-mldsa.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-tls-mldsa/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Layer Security Working Group mailing list (<eref target="mailto:tls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/tlswg/tls-mldsa"/>.</t>
    </note>
  </front>
  <middle>
    <?line 56?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a
post-quantum digital signature algorithm
standardised by the US National Institute of Standards and Technology (NIST)
in <xref target="FIPS204"/>.</t>
      <t>This memo specifies how ML-DSA can be negotiated for authentication in TLS 1.3
via the <tt>signature_algorithms</tt> and <tt>signature_algorithms_cert</tt> extensions.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="ml-dsa-signaturescheme-values">
      <name>ML-DSA SignatureScheme Values</name>
      <aside>
        <t>Note to RFC editor: References to RFC 8446 are to be updated
to reference RFC 9846 (RFC 8446bis) once it is published.
Section references need to be updated accordingly.
PR: <eref target="https://github.com/tlswg/tls-mldsa/pull/25">https://github.com/tlswg/tls-mldsa/pull/25</eref></t>
      </aside>
      <t>As defined in <xref target="RFC8446"/>, the SignatureScheme namespace is used for
the negotiation of signature scheme for authentication via the
<tt>signature_algorithms</tt> and <tt>signature_algorithms_cert</tt> extensions.
This document maps three new SignatureScheme values for the three
ML-DSA parameter sets listed in Section 4, Table 1 of <xref target="FIPS204"/>
to the SignatureAlgorithmIdentifiers from <xref target="RFC9881"/> as follows.</t>
      <table anchor="schemes">
        <name>SignatureSchemes for ML-DSA</name>
        <thead>
          <tr>
            <th align="left">SignatureScheme</th>
            <th align="left">FIPS 204</th>
            <th align="left">Signature AlgorithmIdentifier</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">mldsa44(0x0904)</td>
            <td align="left">ML-DSA-44</td>
            <td align="left">id-ML-DSA-44 (2.16.840.1.101.3.4.3.17)</td>
          </tr>
          <tr>
            <td align="left">mldsa65(0x0905)</td>
            <td align="left">ML-DSA-65</td>
            <td align="left">id-ML-DSA-65 (2.16.840.1.101.3.4.3.18)</td>
          </tr>
          <tr>
            <td align="left">mldsa87(0x0906)</td>
            <td align="left">ML-DSA-87</td>
            <td align="left">id-ML-DSA-87 (2.16.840.1.101.3.4.3.19)</td>
          </tr>
        </tbody>
      </table>
      <t>Note that these are different from the HashML-DSA pre-hashed
variants defined in Section 5.4 of <xref target="FIPS204"/>,
which are not used here
because of the reasons laid out in <xref section="8.3" sectionFormat="of" target="RFC9881"/>.</t>
      <section anchor="certificate-chain">
        <name>Certificate Chain</name>
        <t>For the purpose of signalling support for signatures on certificates
as per <xref section="4.2.3" sectionFormat="of" target="RFC8446"/>, these values indicate support
for signing using the given AlgorithmIdentifier shown in <xref target="schemes"/>
as defined in <xref target="RFC9881"/>.</t>
      </section>
      <section anchor="handshake-signature">
        <name>Handshake Signature</name>
        <t>When one of those SignatureScheme values is used in a CertificateVerify message,
then the signature <bcp14>MUST</bcp14> be computed and verified as specified in
<xref section="4.4.3" sectionFormat="of" target="RFC8446"/>, using
Algorithm 2 (ML-DSA.Sign) and Algorithm 3 (ML-DSA.Verify)
of <xref target="FIPS204"/> respectively. The context (ctx) parameter
<bcp14>MUST</bcp14> be the empty string. Note that the context parameter of FIPS 204
is different from the context string of <xref section="4.4.3" sectionFormat="of" target="RFC8446"/>.</t>
        <t>The corresponding end-entity
certificate <bcp14>MUST</bcp14> use the corresponding AlgorithmIdentifier
from <xref target="schemes"/> in its SubjectPublicKeyInfo.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations described in Appendices <xref target="RFC8446" section="C.2" sectionFormat="bare"/> and <xref target="RFC8446" section="E.1" sectionFormat="bare"/> of <xref target="RFC8446"/>
and <xref section="4.4.3" sectionFormat="of" target="RFC8446"/> apply. In particular, signature-based modes of
TLS depend on the signature scheme being secure against chosen message
attacks <xref target="SIGMA"/>. Per Section 3.1 of
<xref target="FIPS204"/>, ML-DSA is designed to meet this property.</t>
      <t>Implementation failures, such as side channels, in cryptographic primitives can
also compromise the primitive and thus a TLS connection depending on it.
Sections 3.4 and 3.6 of <xref target="FIPS204"/> discuss additional considerations for
implementing ML-DSA, including guidance on the choice of hedged vs deterministic
variants. These considerations apply when ML-DSA is used for TLS.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document requests new entries to the TLS SignatureScheme registry,
according to the procedures in <xref section="6" sectionFormat="of" target="RFC9847"/>.</t>
      <table>
        <thead>
          <tr>
            <th align="left">Value</th>
            <th align="left">Description</th>
            <th align="left">Recommended</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">0x0904</td>
            <td align="left">mldsa44</td>
            <td align="left">N</td>
            <td align="left">This document.</td>
          </tr>
          <tr>
            <td align="left">0x0905</td>
            <td align="left">mldsa65</td>
            <td align="left">N</td>
            <td align="left">This document.</td>
          </tr>
          <tr>
            <td align="left">0x0906</td>
            <td align="left">mldsa87</td>
            <td align="left">N</td>
            <td align="left">This document.</td>
          </tr>
        </tbody>
      </table>
      <t>As defined in <xref section="3" sectionFormat="of" target="RFC9847"/>, the value N indicates</t>
      <ul empty="true">
        <li>
          <t>That the item has not been evaluated by the IETF and
that the IETF has made no statement about the suitability of
the associated mechanism. This does not necessarily mean that
the mechanism is flawed, only that no consensus exists. The
IETF might have consensus to leave an item marked as "N" on the
basis of the item having limited applicability or usage constraints</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9881">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
            <author fullname="J. Massimo" initials="J." surname="Massimo"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="B. E. Westerbaan" initials="B. E." surname="Westerbaan"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>Digital signatures are used within X.509 certificates and Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using FIPS 204, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and CRLs. The conventions for the associated signatures, subject public keys, and private key are also described.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9881"/>
          <seriesInfo name="DOI" value="10.17487/RFC9881"/>
        </reference>
        <reference anchor="FIPS204">
          <front>
            <title>Module-lattice-based digital signature standard</title>
            <author>
              <organization/>
            </author>
            <date month="August" year="2024"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.204"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9847">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="December" year="2025"/>
            <abstract>
              <t>This document updates the changes to the TLS and DTLS IANA registries made in RFC 8447. It adds a new value, "D" for discouraged, to the "Recommended" column of the selected TLS registries and adds a "Comment" column to all active registries that do not already have a "Comment" column. Finally, it updates the registration request instructions.</t>
              <t>This document updates RFC 8447.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9847"/>
          <seriesInfo name="DOI" value="10.17487/RFC9847"/>
        </reference>
        <reference anchor="SIGMA">
          <front>
            <title>SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols</title>
            <author fullname="Hugo Krawczyk" initials="H." surname="Krawczyk">
              <organization/>
            </author>
            <date year="2003"/>
          </front>
          <seriesInfo name="Lecture Notes in Computer Science" value="pp. 400-425"/>
          <seriesInfo name="DOI" value="10.1007/978-3-540-45146-4_24"/>
          <seriesInfo name="ISBN" value="[&quot;9783540406747&quot;, &quot;9783540451464&quot;]"/>
          <refcontent>Springer Berlin Heidelberg</refcontent>
        </reference>
      </references>
    </references>
    <?line 171?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thanks to
    Alicja Kario,
    John Mattsson,
    Rebecca Guthrie,
    Alexander Bokovoy,
    Niklas Block,
    Ryan Appel,
    Loganaden Velvindron,
    David Benjamin,
    Viktor Dukhovni,
    Rob Sayre,
    Daniel Van Geest,
    Martin Thomson,
    Wang Guilin,
    and Nick Sullivan
    for their review and feedback.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61Y63LbuBX+j6dAtX/sjklZtmwrms3FsXNR13bSyElmp9PZ
BUlIQkSCXAKUo9p+lz5Ln6zfAUhKsuW0nalmEpMAzv2c7xwwCAJmlU3lkHc+
G8nzCb+8CM7Hp1xpfn0x5r3wsMNEFJVy8cMjsbBympfLIVYnOWNJHmuRgW1S
iokNlLSTwKYmyNLEiGD/iJkqypQxKtd2WeDc6M31W6arLJLlkCXgNmRxro3U
pjJDbstKMmhwyEQpxZCPZVyVyi7ZTV7Op2VeFUN+XQptiry0/EIsZbk6M5dL
HEuGjAe16vT0dvRxfLDfZwupKwjjvGbTeYpPB2e8rp2vkKr0lL8jElrPhEqx
DgtfkalhXk5pWZTxDMszawsz7HbpFC2phQybY11a6EZlfmNkF/RdopsqO6si
z/Bm2m0dR3spfGPsGld3JvQkocpXp7vbfB/ObJZ2GBOVneUl+QQ8OZ9UaeoD
1rlWGX+fp6mMpJx33C70FFr9Q1iEa8jP1VSdydK6LelNtyoLZw3RqwQnYpwI
4zzbImGcFzMl+TieZUpOt4l4l+fTVK4LMMaffjV1W+uclUaGvA7fhPwrPCPL
SAj9UORrYdZ2t4k8S/MqmSA+G2IjYV7F7Y6TynReZiBaUNZ8ens26PeP/dOz
waA3ZIwqYOPEs0H/BOv4BUHARWRsKWLL2PVMGZ7JLOemkLGaKGn4LL/hdiZ5
kRsb/FEJbauMGzXVwlal5PCCzGRTgTuUxBxZvMvAqTIy4RDNKbZSWxU709bq
NKxVyFSSwL3sJz7StsyTKqaDpBBY4zWVwYWwYCADOA5cKeRWpHzcKnKaotyR
cxnf8crscqgg2IbeSU220l80ZMxYoRNRJor4R0tn9Ocxv3I6g2akDZCpsg5x
xvVhSNAJv5bxTOdpPl3ynavR+BrWa357+6e6pJ+ffxiFvf3weP9g0KX9kDZC
7Nzfh097vfZpLDSPJNeAM6tQa//BpWyhhNP999bI31ojze9O361bv1GB/M7l
dwuMA08TUjzOcr0gOXh3pOdyorRy7z48ADNOaGZ45/Lz+Lqz5//yqw/u+dOb
v34efXpzTs/j96cXF+0Dq0+M33/4fHG+elpRnn24vHxzde6Jsco3lljn8vRX
7JBWnQ8fr0cfrk4vOuQJSw4F4FcZNAfmSW5zcqHSKLeilORDYVgiTVyqCC+g
eX328V//7PUpaiiQg17v2f19/TLonSBQ/Ab+9tJynS7rVzh6yURRSFESF5Gm
iFdBOWZw1nCDQGo+kyhVxv78N/LM34f85yguev0X9QIZvLHY+Gxj0fns8coj
Yu/ELUtbxLTe3Fh/4OlNfU9/3Xhv/L62+PPLVGnJg97g5QtGKVTncVuqYw8Z
X0RaSSTR7VAYlch79oJf5dbFCk7nMlEW/YB/khN4T8coinqH8G0tqlVB3TkB
Od7L5rQ7CZw75jsNTaTMLmKHPWUJG4oqSpWZySQELZqqK6RyJU5LpMaGDC7i
GKmOTpsuiejjJ5jdtL264QGRuw+6ZLcA7ncPjuCOUyQmVZBPutvbGq7v710q
PfIRNQtTCFJ5BaeMTjZwQDoDjx4B8haMqIGB/R+A4XqjwjJRIDizUpJaN4+M
WLhAO41Ic3eQ1UlRiBImoiy5kdZwxMN61zTx6O/xaxGlkvfIzNvbGlLv7xki
s+GytgGMEjIaMFpCaJln3s3UC1HFghRJU0w3KMi7R7re8aaDcX63rbusmKMn
37G74OHv7onnH/7AiLtU6fd39r/vP0MDhXjvo6Dfx7NKgtXrzkHYOw4H/f2w
h75CfbSPf72TXd4yOj7yjI7WGB0fbTDC6xOMBmuMBiee0fEao8HJBiO8PsHo
GTG6HfKffFYiS2i2f9554HafHJ5bh98z5oFgJiyFGDM+VXuiJq40rQ8qxf69
MLMmkUoZzARVM1uIUqHdb1Rak05HYf9BHu2xm5mKZ06Ezq2vMgJsFslYVP6C
QcIw5xvqgqlQaAGV9QXcMB6Eh3SwTTRqnuieqBwkC11G+NlMKM3e1lVQVCUm
E9nWbprS/G6qwg365I62FA1Ai8crToYhiQsk4Ep6Pzxo5a/hiWmLT+nEa1FL
YI0EkloZ+p+0mmJE1FuT3TcyZ3IdS5SgeIxm69a/B6SYmZivFSn7CkSCPbVX
yQNPwEUDeNRV1/34RZZqssS8ZIyYyj0CQ+10X0Gga6pAbUBxUTnYBrQtiE65
zt/OWcSdrXux/8iLzjdsNVweNONlSHrvOtar3cN216u5yzaTDUlEsmkSRwfh
ND/hUmkBrXwntt93V3jIGiPINJkVdskxpUOXkG8UR0u/QlKIbECMpvAtddPQ
eI6+IJ52QugHPXQ+0j7X1P+41ElAyYHr7FpqetdT0dhHFFuyitXw3GYURVuh
csdV9A36fKQOHf8ilyPcYNw42tx9aS6lqaEUa6OoaTbjjU2+Mejd3p5iXKNy
QJKdhQcugm/C3obJjBZ/5BOOmY8iONLkeLTYCtexvVUOBpG7pmR5QuU7YTSc
J5LkUjFvpmvdsSPpEIBsAOBNARbG8phKRDfZznAHEvHcQLWX49G7y9PmZtHb
3z/pPjsZBIfBUX8/6B/1+sdB/7cDumDwj/6bgbPk0BnK1vGv/XriHAWt/NST
SWn9JF2UOdDGYuJho6xIJfV8P1FMcCUlgILhFUEoKgtuh9JCa0kTMPwdl8vC
5tNS4Iodg5fKFKW/oXsNw5icuzJFHqg6a9ojLjKYqXDxcJcbRFXXZnhXutyl
hAlZbZ+BgX1HdxgePwB6FIKJKwNuSaLqO92DRKHhSjUmEnfvGrIjTisnb1qp
RNAMWYcRAVKxQzO0nilctyA3ogwzXJNwYYzbduTK3ciHMl0iudvEWiDamzPs
Dt0QPTq9Ot2S9OtjWCn/AHBa44YwLJTKz8ykJvnvIdCWcgoNy+Uea8fa5jji
EcvE9Z6NLnfc9rj+iQOGOz/G0yyEqyGVWeEO3mFuR1yhVwJL7lZTPHe/9cFp
c0j60Vs9KPkBiSTWI5Nnya/46nfHN3wT8pbwqCXE/PO/EB63hJh3/ivCR9N+
W4UbbvSjv2t74Nh0aoT3BVjWKK+szDjmGzeiRBLJIonAXUrqbxX0wZJSny5C
DZlbI7JMJDTeAPFB4q/FEc0wDokq3FcjlRJyAhteuEVhTB77zw2ZpIJWJgsb
E6XXA9VIuFSqlPqx0E5uTd8SUTpPUnEjkz1/cXbK6Zy3X1Nxs0Ae+voAtdM5
U9OZheYLuXYOyZlK4YDBOyQT5dx39M5Vp65IcAD2KtOMbbXnFpTdKSELEaDm
4OTG5hL1BnR1kmwJ4LXGf5aKALZUfKfxXOc3KQqcXGcw0foPwzJ53pkAw2Tn
nopR6Dkp6T7XnULAN8F/gXfyPbfyl3yGEgeCw7PaL32SmDFjwd/hooZq3asp
5XeEEaD9Op/ni3zpl6/UPIWhr9M8ntfUS/iBmlnq3y/yqdCIs+ZfZAp7k7KR
cw7zE/5a6m8CsOTXvqg57tf8vJrP8oVWNcs84mOxLGVDp5VMUeKav5OAFr96
SQ1PI1p51lryVdDX5woOrRcIg69UPEcrx2i7aD6A+ulXlQCfhQJM0bEJ7tnk
6ZD9G9v+MAD+FwAA

-->

</rfc>
