AWS rolesanywhere medium security documentation change
Summary
Added support for ML-DSA signature algorithms (AWS4-X509-MLDSA) and ML-DSA-44/65/87 variants
Security assessment
The addition of ML-DSA algorithms indicates support for post-quantum cryptography standards. This directly addresses emerging cryptographic security requirements by adding new secure signing methods, though no explicit vulnerability is mentioned.
Diff
diff --git a/rolesanywhere/latest/userguide/authentication-sign-process.md b/rolesanywhere/latest/userguide/authentication-sign-process.md index 9a75b92a1..18a826ea0 100644 --- a//rolesanywhere/latest/userguide/authentication-sign-process.md +++ b//rolesanywhere/latest/userguide/authentication-sign-process.md @@ -148 +148 @@ The “string to sign” is the actual input to the signing algorithm, and inclu - 1. The `Algorithm` is a string that indicates how the signature is calculated. It must be one of `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256` and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. + 1. The `Algorithm` is a string that indicates how the signature is calculated. It must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` and MUST be supported by the key type of the signing certificate's private key. For example, if the signing certificate has an RSA private key, the full algorithm string will be `AWS4-X509-RSA-SHA256`. @@ -170,0 +171,6 @@ SigningAlgorithm must be one of the following algorithms + * ML-DSA-44 + + * ML-DSA-65 + + * ML-DSA-87 + @@ -178 +184 @@ The signature derived from the previous step is added to the HTTP request in the - * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256` depending on whether an RSA or Elliptic Curve algorithm. This, in turn, is determined by the key bound to the signing certificate. + * Algorithm. As described above, instead of `AWS4-HMAC-SHA256`, the algorithm field will have the values of the form `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA` depending on whether an RSA, Elliptic Curve algorithm or ML-DSA. This, in turn, is determined by the key bound to the signing certificate. @@ -191 +197 @@ The signature derived from the previous step is added to the HTTP request in the - 1. The `Algorithm` must be one of `AWS4-X509-RSA-SHA256` or `AWS4-X509-ECDSA-SHA256`. + 1. The `Algorithm` must be one of `AWS4-X509-RSA-SHA256`, `AWS4-X509-ECDSA-SHA256` or `AWS4-X509-MLDSA`.