CycloneDX
Adds support for post-quantum ML-DSA algorithms
Fixes https://github.com/CycloneDX/specification/issues/674
With inspiration from the Node.js PRs and this, this pull request adds three new post-quantum algorithms: "ML-DSA-44", "ML-DSA-65", and "ML-DSA-87" to better future-proof BOM signature validity. The hypothetical but real threat this addresses is that traditional signatures with RSA/ECDSA may become invalid when quantum computers break them.
Following alternative ideas could be considered:
- URI-Based references
"algorithm": "urn:nist.gov:fips204:ml-dsa-44" instead of simple upper case enum strings. This however is a significant breaking change to replace all existing identifiers in use.
- Extend
signerdefinition
Signature object support signer as one of the types. A new type called postQuantumSigner could be created to extend signer to capture additional attributes related to PQ algorithms and also to support a broad range of PQ algorithms.
"properties": {
"signers": {
"type": "array",
"title": "Signature",
"description": "Unique top level property for Multiple Signatures. (multisignature)",
"items": {"$ref": "#/definitions/signer"}
}
}
- Enable additional properties
Currently, additional properties are disabled for signer. To increase flexibility, this could be enabled.
This PR proposes a simple enhancement to the enum, key type indicators, and validation, making this feature >= 1.7 only without any possibility for backports.
TBD:
Enhancing CBOM to support the corresponding OID values.
| Algorithm | OID |
|---|---|
| ml-dsa-44 | 2.16.840.1.101.3.4.3.17 |
| ml-dsa-65 | 2.16.840.1.101.3.4.3.18 |
| ml-dsa-87 | 2.16.840.1.101.3.4.3.19 |
