Skip to content

Document CompositeMLDsa update to draft-08 breaking change #49609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 6, 2025
Merged

Document CompositeMLDsa update to draft-08 breaking change #49609

merged 4 commits into from
Nov 6, 2025
+49 −1

Conversation

Copy link
Contributor

Copilot AI commented Nov 4, 2025
edited by github-actions bot
Loading

CompositeMLDsa was updated from draft-07 to draft-08 of the Composite ML-DSA for X.509 PKI specification in .NET 10.0.0. This update introduces incompatibilities in signature validation and key import/export formats across the draft boundary.

Changes

  • Breaking change document: Created docs/core/compatibility/cryptography/10.0/composite-mldsa-draft-08.md documenting the behavioral change, version introduced (10.0.0), and affected APIs
  • TOC and index updates: Added entry to docs/core/compatibility/toc.yml and docs/core/compatibility/10.0.md
  • Library documentation: Updated docs/core/whats-new/dotnet-10/libraries.md to reference draft 8 instead of draft 7

The document notes that draft-08 and draft-09 remain compatible, and emphasizes that CompositeMLDsa is marked [Experimental] pending specification finalization.

Fixes #120077

Original prompt

This section details on the original issue you should resolve

<issue_title>[Breaking change]: Update Composite ML-DSA to draft 8</issue_title>
<issue_description>### [Breaking change]: Update Composite ML-DSA to draft-08

Description

CompositeMLDsa has moved from draft-07 to draft-08 of the Composite ML-DSA for use in X.509 Public Key Infrastructure specification.

The draft-08 format is not compatible with the draft-07 signatures, and key export/import formats are also incompatible across the draft-07/draft-08 boundary.

Version

This breaking change was introduced between .NET 10 RC2 and .NET 10.0.0.

Previous behavior

Signatures were generated and validated according to draft-07 of Composite ML-DSA for use in X.509 Public Key Infrastructure.

Public key and private key export and import used the format from draft-07 of Composite ML-DSA for use in X.509 Public Key Infrastructure.

New behavior

Signatures were generated and validated according to draft-08 of Composite ML-DSA for use in X.509 Public Key Infrastructure.

Public key and private key export and import used the format from draft-08 of Composite ML-DSA for use in X.509 Public Key Infrastructure.

draft-08 and draft-09 are compatible

Type of breaking change

  • Behavioral change: Signatures generated with earlier versions of .NET 10 will cause VerifyData to always return false. Signatures generated with .NET 10 will likewise fail to verify for .NET 10 Preview and .NET 10 RC releases.
  • Behavioral change: Keys that were generated with earlier versions and exported may not import in .NET 10.0.0. Similarly, keys generated and exported in .NET 10.0.0 may not import in previous versions.

Reason for change

Staying current with the underlying specification.

Recommended action

The CompositeMLDsa class is marked as [Experimental], in part, because the specification is not yet complete.
Developers should not yet be depending on this class in production.

Any previously generated keys and signatures should be discarded.

Affected APIs

The following APIs are affected by this change:

  • System.Security.Cryptography.CompositeMLDsa

Additional resources

Comments on the Issue (you are @copilot in this section)

@PranavSenthilnathan In new behaviors section:

Signatures were generated and validated according to draft-07 of Composite ML-DSA for use in X.509 Public Key Infrastructure.

Should be something like "Signatures are generated and validated according to draft-08 of Composite ML-DSA for use in X.509 Public Key Infrastructure." Same for the keys.

I think keys generated and exported with the draft-08 spec can be imported with draft-07, but it's fine to leave it as is. People shouldn't be mixing the two anyway.</comment_new>
<comment_new>@bartonjs
Copy/paste bug fixed 😄</comment_new>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Internal previews

📄 File 🔗 Preview link
docs/core/compatibility/10.0.md Breaking changes in .NET 10
docs/core/compatibility/cryptography/10.0/composite-mldsa-draft-08.md CompositeMLDsa updated to draft-08
docs/core/compatibility/toc.yml docs/core/compatibility/toc
docs/core/whats-new/dotnet-10/libraries.md What's new in .NET libraries for .NET 10

@gewarren
Add CompositeMLDsa draft-08 breaking change documentation
984f891 
Co-authored-by: gewarren <24882762+gewarren@users.noreply.github.com>
Copilot AI changed the title [WIP] Update Composite ML-DSA to draft 08 for compatibility Document CompositeMLDsa update to draft-08 breaking change Nov 4, 2025
Copilot AI requested a review from gewarren November 4, 2025 01:36
Copilot finished work on behalf of gewarren November 4, 2025 01:36
gewarren
gewarren approved these changes Nov 4, 2025
View reviewed changes
@gewarren gewarren marked this pull request as ready for review November 4, 2025 02:15
@gewarren gewarren requested a review from a team as a code owner November 4, 2025 02:15
Copilot AI review requested due to automatic review settings November 4, 2025 02:15
Copilot AI reviewed Nov 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR documents a breaking change where CompositeMLDsa was updated from draft-07 to draft-08 of the Composite ML-DSA specification in .NET 10 GA. The change updates documentation to reflect the new draft version and adds a breaking change article.

  • Updated library documentation to reflect draft 8 support
  • Added comprehensive breaking change documentation
  • Updated TOC and compatibility index to include the new breaking change article

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
docs/core/whats-new/dotnet-10/libraries.md Updated draft version reference from 7 to 8 with clarification
docs/core/compatibility/toc.yml Added new breaking change entry to the Cryptography section
docs/core/compatibility/cryptography/10.0/composite-mldsa-draft-08.md New breaking change documentation for draft-08 update
docs/core/compatibility/10.0.md Added breaking change entry to the Cryptography table

@gewarren
Apply suggestions from code review
a116217 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@gewarren gewarren enabled auto-merge (squash) November 4, 2025 18:54
@gewarren gewarren requested a review from bartonjs November 6, 2025 01:36
@gewarren gewarren merged commit 3768151 into main Nov 6, 2025
11 checks passed
@gewarren gewarren deleted the copilot/update-composite-ml-dsa-draft-08 branch November 6, 2025 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

+1 more reviewer

@gewarren gewarren gewarren approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@gewarren gewarren

Copilot code review Copilot

Labels

dotnet-fundamentals/svc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Breaking change]: Update Composite ML-DSA to draft 8

3 participants

@bartonjs @gewarren