[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] HTTPS
I strongly support mandating TLS 1.2. It is supported by all the open source servers and clients, so there is lots of code to reuse, steal, or just run out-of-the-box. One word of warning: specifying HTTPS requires a bit more work than just saying “MUST implement TLS 1.2.” We need to specify what servers and clients should expect in the Subject field, any limitations or MTI’s for cypher suites, etc. For example, for the open server TAXII case, I would say we would still require HTTPS, but allow the NULL cypher suite. That gets us some level of client and identity, as well as GZIP for free (well, paid for). That will also eliminate the mistaken thought that we need to allow HTTP access for open servers. Other things to specify is either requirements or implementation suggestions for what to do with self-signed certificates, etc. I know, “send text.” I may get to it over the break if someone does not jump in before me.
|
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]