OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Items in scope vs out of scope


These are all great points and this is why I would like to insist that we have a defined extension point in the authentication process for TAXII 2.0.  It would be great if this was also discoverable so clients could auto detect.  But we may need to make that optional.  Can anyone speak to that?  

HTTP Basic + JWT as the MTI seems like a good idea that most people can get behind. It is just important to note that you could have a policy that says you do not accept HTTP Basic + JWT authentication.  In this case you could just respond with a simple error message and either tell the user why or not, depending on your security model.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 16, 2015, at 12:54, Foley, Alexander - GIS <alexander.foley@bankofamerica.com> wrote:

For an example where "special" certs might lead to a barrier to entry, US-CERT's CISCP program insists on using FedBridge certificates at the moment.  I know both ourselves and another large financial services firm have had trouble obtaining this type of certificate due to general confusion from our internal approval processes and even with external CAs who can't scale requests for certificates that require additional verification.

This is not to say that we'd necessarily have the same trouble with extended validation certificates -- but we're certainly making it harder for the average bear to use SSL if we prefer or require them.

Thanks,

Alex

-----Original Message-----
From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Tony Rutkowski
Sent: Friday, October 16, 2015 10:45 AM
To: Terry MacDonald
Cc: Jordan, Bret; cti-taxii@lists.oasis-open.org
Subject: Re: [cti-taxii] Items in scope vs out of scope

Hi Terry,

Your concerns certainly reflect those of many in the community.  On the other hand, there are arguably more ubiquitous TAXII use cases where EVcerts have a value proposition.  Perhaps this all gets folded into the trust model options.

--tony


On 2015-10-15 7:14 PM, Terry MacDonald wrote:
I personally don't hold a lot of value in the use of EV Certs.
Certificate Authorities have a long history of getting social
engineered, hacked, and so forth. I think if people are super
concerned with validation of certificates then that will happen either
with phone calls to repeat the fingerprints of certs, or for super
secret trustgroups people will use their own shared PKI solution (e.g.
separate offline trustgroup root cert, with a trustgroup run issuing
server for all participants). Vendors will of course issue client
certs through their vendor portals, or just accept the user auth as
confirmation of the TAXII clients identity.





---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]