Re: [cti-taxii] TLS MUST Misconception

I completely agree. Lets just find the right language for the document. NOTE, right now I have most all of the requirements in Section 2 "TAXII Requirements", however, long-term, most of them will be moved to the "Conformance" section. I tried to put all of them in one place to make it easier to find inconsistencies and contradictions.

Bret

I sense a lot of the pushback on “TAXII servers MUST implement TLS 1.2 and SHOULD implement future versions of TLS” is of the vein that if TLS 1.2 blows up in the future, someone will say they HAVE to use TLS 1.2 to be a TAXII 2.0 server.

I will be the pot calling the kettle black and say that is purely an academic, will never happen in the real world situation.

One of two broad classes of remediations will happen in reality.

The first class of remediation is TAXII is living and there will be future releases, which can specify alternative mandatory secure communications protocols while explicitly deprecating the use of TLS 1.2. OK, I already hear the cacophony of, “But my client won’t upgrade past TAXII 2.0.” We have existence proofs of this in the wild: how much WindowsXP is still out there? However, those with WindowsXP know they are SOL when it comes to security, and they made a choice to roll the dice (versus blow up their nuclear plant because no one as run regression on the system with a modern OS - a Gordian Knot problem. As Shimon Peres said, "If a problem has no solution, it may not be a problem, but a fact - not to be solved, but to be coped with over time.”

The second class of remediation is since the proposal for the specification is to say “… SHOULD implement future versions of TLS” a one-page errata saying “don’t do TLS 1.2” is sufficient. No need to spend 18 months agonizing about opening the entire specification to fix it. That’s what we did with HTTP to get rid of SSL.

cti-taxii message