AWS privateca medium security documentation change
Summary
Added ML-DSA algorithms to supported key/signing algorithms and updated signing algorithm descriptions
Security assessment
The addition of ML-DSA (post-quantum cryptographic algorithms) directly enhances security documentation by introducing quantum-resistant options, addressing future cryptographic threats.
Diff
diff --git a/privateca/latest/userguide/PcaWelcome.md b/privateca/latest/userguide/PcaWelcome.md index e8d90b4e8..d59ed64d9 100644 --- a//privateca/latest/userguide/PcaWelcome.md +++ b//privateca/latest/userguide/PcaWelcome.md @@ -67 +67 @@ Supported algorithm Private key algorithms | Signing algorithms -RSA_2048 RSA_3072 RSA_4096 EC_prime256v1 EC_secp384r1 EC_secp521r1 SM2 (China Regions only) | SHA256WITHECDSASHA384WITHECDSASHA512WITHECDSASHA256WITHRSASHA384WITHRSASHA512WITHRSASM3WITHSM2 +ML_DSA_44 ML_DSA_65 ML_DSA_87 RSA_2048 RSA_3072 RSA_4096 EC_prime256v1 EC_secp384r1 EC_secp521r1 SM2 (China Regions only) | ML_DSA_44ML_DSA_65ML_DSA_87 SHA256WITHRSASHA384WITHRSASHA512WITHRSASHA256WITHECDSA SHA384WITHECDSASHA512WITHECDSASM3WITHSM2 @@ -73 +73,3 @@ This list applies only to certificates issued directly by AWS Private CA through -In all cases, the specified signing algorithm family (RSA or ECDSA) must match the algorithm family of the CA's private key. +For RSA or ECDSA, the specified signing algorithm family must match the key algorithm family of the CA's private key. + +For ML-DSA, the hash function is defined as part of the algorithm itself. There is no option to select a different hash function with ML-DSA. To maintain backward compatibility with the APIs, the same value is used for key algorithm and signing algorithm.