On Tue, Jan 06, 2026 at 12:02:51AM -0800, Eric Biggers wrote: > For simplicity and to avoid this issue entirely, I suggest just allowing > SHA-512 only. That's the only one that RFC 9882 says MUST be supported > with ML-DSA.
That being said, this is only applicable for the case where signed attributes are used. If you can get the other case working properly and just support that case, where the real user message is what is passed to ML-DSA, that would also avoid this issue and be much simpler. - Eric
