I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Nits. This document specifies the conventions for using the Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS) hash-based signature algorithm with the Cryptographic Message Syntax (CMS) and provides the algorithm identifier and public key syntax. All my comments below are minor to very minor. Section 6, Security Considerations, 1st paragraph. Why is it that compromise of the private keys only "may" lead to the ability to forge? "May" seems right for something like "result in forged signatures" but doesn't compromise of the private key lead pretty certainly to the *ability* to forge a signature? Somehow the presence of "non-volatile" is a bit jarring. I understand that you are talking about exceptional problems but perhaps it would be good to also say the "volatile" storage must not be used? Section 1.3, 3rd paragraph: Would it be reasonable to add just before the comma in the first sentence "but on the difficulty of finding pre-images of a strong hash function" or something like that? While I believe it, is there a reference for the "considered to be post-quantum secure" statement? Section 2.1, last sentence: While it is somewhat a matter of taste, arguably, except in the most surprising cases, the words "Note that" are mostly superfluous noise. (Ditto for two more "Note that"s in Section 4.) Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@xxxxxxxxx -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx