OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] HTTPs

Currently the spec has changed from "TAXII must require HTTPS" to "TAXII must require HTTPS TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and <insert two full pages of text here>.

I very much disagree with us specifying TLS levels and ciper suites in our specification. There are many problems with this

- There will be vendors who do not have the ability to implement the prescribed suite for a variety of reasons, and if this is part of the spec we are basically saying those vendors can't implement TAXII.

- There will be consumers who will not want to implement the prescribed suite for a variety of reasons, and if this is part of the spec we are basically saying those consumers can't consume TAXII

- The minimally viable cipher suite viable today is not the same one that will be minimally viable 6 months from now, so the whole chapter is entirely pointless and actually can be counter-productive, as at that point it will be mandating an insecure baseline.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Jordan, Bret" ---02/21/2016 02:11:53 PM---I am going to propose that TAXII 2.x does NOT allow non-en"Jordan, Bret" ---02/21/2016 02:11:53 PM---I am going to propose that TAXII 2.x does NOT allow non-encrypted communications and propose that th

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 02/21/2016 02:11 PM
Subject: [cti-taxii] HTTPs
Sent by: <cti-taxii@lists.oasis-open.org>




I am going to propose that TAXII 2.x does NOT allow non-encrypted communications and propose that that text be removed form the pre-draft specs..

We asked for feedback on this issue several weeks ago, and have yet to hear anyone suggest a reason why TAXII 2.x needs to support non-encyprted HTTPs sessions (aka null ciphers)

If you believe TAXII 2.x should support non-encrypted sessions, please speak up and give us your use-cases.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]