Track A · PR 2/7 — key_info validator: recognize PQ algorithms

[bradh11]

Parent: #28 · Track A (cert-side) · Depends on PR 1 (Rust SPKI OIDs)

Scope

Update key_info validator's _is_key_strong_enough method so PQ certs return is_valid: True instead of the current misleading is_valid: None.

In scope

• Add recognition for ML-DSA-44 / 65 / 87, SLH-DSA variants, Falcon, hybrid composites
• Preserve existing RSA / EC behavior exactly

Out of scope

• Adding key_info to DEFAULT_VALIDATORS (already there — no change)
• Any Rust changes

Files to touch

• certmonitor/validators/key_info.py
• tests/test_validators/test_key_info.py (or equivalent)

Tests

• One test per new PQ algorithm asserting is_valid: True
• Regression test: RSA-2048, RSA-1024 (weak), P-256, P-192 (weak) all behave as before
• Edge case: unknown PQ algorithm name still returns is_valid: None

Definition of Done

• make ci clean
• Coverage ≥ 95%
• CHANGELOG entry added
• PR opened against develop from feat/pq-key-info
• Existing key_info users see no behavior change for non-PQ certs