The IETF published RFC 9881 in October 2025 as a Standards Track document, specifying the conventions for using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 public key infrastructure certificates and Certificate Revocation Lists. ML-DSA is the quantum-resistant digital signature scheme standardized by the U.S. National Institute of Standards and Technology (NIST) in FIPS 204, published in August 2024.
Produced by the IETF’s Limited Additional Mechanisms for PKIX and SMIME (LAMPS) Working Group, RFC 9881 defines algorithm identifiers for three ML-DSA parameter sets: ML-DSA-44, ML-DSA-65, and ML-DSA-87, corresponding to NIST PQC security categories 2, 3, and 5. The document specifies encoding conventions for ML-DSA public keys, private keys, and signatures within the X.509 framework. Only the pure variant of ML-DSA is covered; the pre-hash variant is excluded.
Authored by Jake Massimo and Panos Kampanakis of AWS, Sean Turner, and Bas Westerbaan of Cloudflare, RFC 9881 represents one of the first IETF Standards Track specifications to integrate NIST’s finalized PQC signature algorithms into the Internet’s certificate infrastructure. Prior to standardization, the algorithm was known as CRYSTALS-Dilithium.