Context
As part of moving JWT and RS256 crypto away from RustCrypto rsa, we are adopting AWS-LC backed crypto paths. A follow-up decision is whether Registry Stack should support an optional FIPS build profile.
Questions to answer
- Which binaries/crates would need FIPS-backed crypto in a supported deployment?
- Can
aws-lc-rs be built with its fips feature across our release targets?
- What CI/release tooling would be required, including C/C++ compiler, CMake, Go, and bindgen/libclang where needed?
- Which AWS-LC-FIPS module version, NIST certificate, security policy, and supported operating environments would we rely on?
- What claims can we safely make, distinguishing "built with a FIPS module" from full application or deployment FIPS compliance?
- Should this be a separate release artifact/profile rather than the default build?
Notes
Non-FIPS aws-lc-rs is the near-term target for replacing vulnerable RSA dependencies. This ticket is for a later compliance and release-engineering assessment, not a blocker for the current RSA vulnerability work.
Context
As part of moving JWT and RS256 crypto away from RustCrypto
rsa, we are adopting AWS-LC backed crypto paths. A follow-up decision is whether Registry Stack should support an optional FIPS build profile.Questions to answer
aws-lc-rsbe built with itsfipsfeature across our release targets?Notes
Non-FIPS
aws-lc-rsis the near-term target for replacing vulnerable RSA dependencies. This ticket is for a later compliance and release-engineering assessment, not a blocker for the current RSA vulnerability work.