AWS rolesanywhere medium security documentation change
Summary
Removed ML-DSA algorithm support and all references to ML-DSA signing methods
Security assessment
Elimination of ML-DSA algorithms suggests deprecation due to potential security weaknesses. Concrete evidence: removal of 3 ML-DSA variants and algorithm support statements.
Diff
diff --git a/rolesanywhere/latest/userguide/authentication-sign-process.md b/rolesanywhere/latest/userguide/authentication-sign-process.md index ca074a0c0..e35d53a8e 100644 --- a//rolesanywhere/latest/userguide/authentication-sign-process.md +++ b//rolesanywhere/latest/userguide/authentication-sign-process.md @@ -148 +148 @@ The “string to sign” is the actual input to the signing algorithm, and inclu - 1. The `Algorithm` is a string that indicates how the signature is calculated. It must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. + 1. The `Algorithm` is a string that indicates how the signature is calculated. It must be one of `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256` and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. @@ -169,3 +168,0 @@ SigningAlgorithm must be one of the following algorithms - * ML-DSA-44 - * ML-DSA-65 - * ML-DSA-87 @@ -179 +176 @@ The signature derived from the previous step is added to the HTTP request in the - * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` depending on whether an RSA, Elliptic Curve algorithm or ML-DSA is used. This, in turn, is determined by the key bound to the signing certificate. + * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256` depending on whether an RSA or Elliptic Curve algorithm. This, in turn, is determined by the key bound to the signing certificate. @@ -192 +189 @@ The signature derived from the previous step is added to the HTTP request in the - 1. The `Algorithm` must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA`. + 1. The `Algorithm` must be one of `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256`.