AWS kms documentation change
Summary
1. Updated ML-DSA key spec names to underscores. 2. Removed a paragraph about message size limits and EXTERNAL_MU processing.
Security assessment
The naming convention update is non-functional. Removing the message size guidance could impact usability but lacks evidence of addressing a security flaw. No explicit security context is provided.
Diff
diff --git a/kms/latest/developerguide/mldsa.md b/kms/latest/developerguide/mldsa.md index 98a91483e..6de6eb637 100644 --- a//kms/latest/developerguide/mldsa.md +++ b//kms/latest/developerguide/mldsa.md @@ -7 +7 @@ -AWS Key Management Service (AWS KMS) supports Module-Lattice Digital Signature Algorithm (ML-DSA) for post-quantum cryptographic signatures. This implementation follows the [Federal Information Processing Standards (FIPS) 204 standard](https://csrc.nist.gov/pubs/fips/204/final) to help protect against future quantum computing threats. AWS KMS creates and protects all ML-DSA keys and signature operations in FIPS 140-3 Security Level 3 validated hardware security modules. To help balance security with performance, ML-DSA in AWS KMS offers three distinct security levels through different key specifications, ML-DSA-44, ML-DSA-65, and ML-DSA-87. +AWS Key Management Service (AWS KMS) supports Module-Lattice Digital Signature Algorithm (ML-DSA) for post-quantum cryptographic signatures. This implementation follows the [Federal Information Processing Standards (FIPS) 204 standard](https://csrc.nist.gov/pubs/fips/204/final) to help protect against future quantum computing threats. AWS KMS creates and protects all ML-DSA keys and signature operations in FIPS 140-3 Security Level 3 validated hardware security modules. To help balance security with performance, ML-DSA in AWS KMS offers three distinct security levels through different key specifications, ML_DSA_44, ML_DSA_65, and ML_DSA_87. @@ -11,2 +10,0 @@ AWS KMS supports asymmetric key signatures for messages up to 4 KB using the `RA -AWS KMS supports asymmetric key signatures for messages up to 4 KB using the RAW message type. For larger messages, you must compute an EXTERNAL_MU value. Use the EXTERNAL_MU message type to identify these pre-processed messages when signing. -