We have had a discussion on Slack today about NULL Cipher support for TAXII 2.0 HTTPS sessions. The general discussion seems to fallback to, we think people may need or want that, but we do not have any concrete reasons for supporting it. It also lends itself to being very hard to figure out if you are complaint. Which is a bad thing.
If you feel like you must have support for a NULL Cipher in TAXII 2.0, can you please give us some context or rational for it?
If this really is not a valid feature, and people do not need it, then I am going to propose that we strike it from the pre-draft spec.
Thanks,
Bret
Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."