Parent: #28 · Track A (cert-side) · Depends on PR 1 (Rust SPKI OIDs) · Independent of PR 2
Scope
New opt-in validator that judges the leaf cert's PQ-signature posture.
Returns
{
"leaf_key_alg": "ml-dsa-65",
"leaf_sig_alg": "ml-dsa-65",
"is_pq": True,
"is_hybrid_composite": False,
"is_valid": True,
}Decision rules
is_valid: True if leaf key alg AND signature alg are PQ OR hybrid compositeis_valid: False if either is purely classicalis_hybrid_composite: True when a composite OID is in play
In scope
- New validator file + registration
- Docs page entry
Out of scope
- Adding to
DEFAULT_VALIDATORS — explicitly opt-in
- Chain walking (that's PR 6)
Files to touch
certmonitor/validators/pq_signature.py (new)- certmonitor/validators/init.py — register in
VALIDATORS dict only
docs/... + mkdocs.yml entrytests/test_validators/test_pq_signature.py (new)
Tests
- Per-algorithm validator tests (pure PQ leaf, hybrid composite leaf, classical leaf)
- Cert with PQ key but classical signature (and vice-versa) returns
is_valid: False
- Unknown algorithm returns structured error per project convention
Definition of Done
Parent: #28 · Track A (cert-side) · Depends on PR 1 (Rust SPKI OIDs) · Independent of PR 2
Scope
New opt-in validator that judges the leaf cert's PQ-signature posture.
Returns
{ "leaf_key_alg": "ml-dsa-65", "leaf_sig_alg": "ml-dsa-65", "is_pq": True, "is_hybrid_composite": False, "is_valid": True, }Decision rules
is_valid: Trueif leaf key alg AND signature alg are PQ OR hybrid compositeis_valid: Falseif either is purely classicalis_hybrid_composite: Truewhen a composite OID is in playIn scope
Out of scope
DEFAULT_VALIDATORS— explicitly opt-inFiles to touch
certmonitor/validators/pq_signature.py(new)VALIDATORSdict onlydocs/...+mkdocs.ymlentrytests/test_validators/test_pq_signature.py(new)Tests
is_valid: FalseDefinition of Done
make cicleanmkdocs.ymldevelopfromfeat/pq-signature-validatorDEFAULT_VALIDATORS)