Adding the remainder of the email thread with Francois Rousseau and Mike Ounsworth, which has been cut off by the OASIS system:
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Sent: Sunday, March 2, 2025 5:39 PM
To: Francois Rousseau <frousse@icloud.com>; Dieter Bong <dieter.bong@utimaco.com>
Subject: RE: [EXTERNAL] PKCS#11 mechanism with hash value π for calculating an ML-DSA signature
(I am trying to send again with my S/MIME signature removed since this seems to have been rejected by Dieter's email server. Why would an email server reject a signed email when it is happy to accept the same email in plaintext? This is a ridiculous example of "Error: Content is Secure")
Thank you François!
Dieter, yes, my understanding also is that ML-DSA external Β΅ is actually closer to how HSM interfaces work today with RSA and ECDSA, and therefore should be easy to integrate.
For FIPS compliance, Tim Hudson had private discussions with the NIST PQC (Dustin Moody) and CMVP (Chris Celi) teams around this, and this lead to NIST posting the following FAQ on the FIPS 204 page last week. We believe this is clear, but if you still have reservations, I would be happy to forward those to NIST on your behalf.
https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs#Rdc7
---
Mike Ounsworth
From: Francois Rousseau <frousse@icloud.com>
Sent: Sunday, March 2, 2025 7:45 AM
To: Dieter Bong <dieter.bong@utimaco.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: [EXTERNAL] PKCS#11 mechanism with hash value π for calculating an ML-DSA signature
Hi Dieter, Please note that I am also copying Mike Ounsworth on this new e-mail since as I had indicated to you before, Mike and the IETF LAMPS working group previously discussed and concluded that PKCS #11 v3.β2 should support a mechanism that
Hi Dieter,
Please note that I am also copying Mike Ounsworth on this new e-mail since as I had indicated to you before, Mike and the IETF LAMPS working group previously discussed and concluded that PKCS #11 v3.2 should support a mechanism that allows to input the hash value π for calculating an ML-DSA signature.
You had previously suggested that from a technical perspective, you believed it would be quite straightforward to define an additional ML-DSA mechanism that takes π as an input. However you had to be sure that such mechanism could also be FIPS validated, otherwise applications would not work when operated (using a crypto module) in FIPS mode.
For your consideration,
Francois
Sent from my iPad
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
------------------------------
Best regards,
Dieter
------------------------------
Original Message:
Sent: 03-05-2025 10:51
From: Dieter Bong
Subject: [EXTERNAL] PKCS#11 mechanism with hash value π for calculating an ML-DSA signature
Hi Mike,
thank you for pointing to the recent posting on the NIST FAQ page. I had not seen this yet as I have been on PTO for a few days.
This is indeed good news: it confirms that what is quite straightforward to implement as HSM interface will also be accepted by NIST when validating such HSM implementation. I have forwarded the hint to this new FAQ to my colleagues steering the implementation and certification of our HSM firmware.
I copy the OASIS TC PKCS11 mailing list to have this discussion in a public forum, and use it as starting point for a TC discussion and eventually a new work item.
P.S.: I have contacted our IT team to understand why your initial mail has been rejected. I will come back to you in a separate thread once I have their feedback.