Re: [cti-taxii] Authentication

[Eric Burger <Eric.Burger@georgetown.edu>]

The nice thing about saying HTTPS everywhere is the decision as to what to do with self-signed certificates is rightly a matter of local policy.

If I am in a high security, very limited distribution ISAC or C/F/N-TLA government agency, I am going to impose a very stringent X.509 policy, like your certificate must be signed by one of three root CA’s and I will pin your CA and if your root CA changes without you telling me, I will reject the connection.

If I am in a public information distribution ISAO or D-TLA government agency where my remit is to publish information to the world, I will happily accept a self-signed certificate or accept a certificate that you claim to be ICBC (China) but your root CA is DoD (US).

About the only thing we should say here is that implementors may wish to have their products support the appropriate certificate policies and if that policy is a promiscuous one, to PLEASE not pop up a modal dialog box saying someone is trying to connect with a self-signed certificate.

> On Oct 12, 2015, at 4:30 AM, Trey Darley <trey@soltra.com> wrote:
> 
> On 08.10.2015 11:52:10, Davidson II, Mark S wrote:
>> 
>> Under this idea, TAXII would be "HTTPS everywhere".
>> 
> 
> Assuming that TAXII 2.0 is REST-based, defining JWT as the MTI
> authentication mechanism is obvious.
> 
> As for the notion of TAXII being "HTTPS everywhere", I'll just point
> out that key management is the hardest part of crypto. If I'm running
> an ISA{C,O}, obviously I'm going to opt for the strongest EV cert
> money can buy.
> 
> But what about all the endpoint devices out there? Vendors (including
> Soltra, to be fair) use self-signed certs all over the place. Seems
> like there be dragons here...
> 
> -- 
> Cheers,
> Trey
> --
> Trey Darley
> Senior Security Engineer
> 4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
> Soltra | An FS-ISAC & DTCC Company
> www.soltra.com

Attachment: smime.p7s
Description: S/MIME cryptographic signature