[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] HTTPs
Currently the spec has changed from "TAXII must require HTTPS" to "TAXII must require HTTPS TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and <insert two full pages of text here>.
I very much disagree with us specifying TLS levels and ciper suites in our specification. There are many problems with this
- There will be vendors who do not have the ability to implement the prescribed suite for a variety of reasons, and if this is part of the spec we are basically saying those vendors can't implement TAXII.
- There will be consumers who will not want to implement the prescribed suite for a variety of reasons, and if this is part of the spec we are basically saying those consumers can't consume TAXII
- The minimally viable cipher suite viable today is not the same one that will be minimally viable 6 months from now, so the whole chapter is entirely pointless and actually can be counter-productive, as at that point it will be mandating an insecure baseline.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Jordan, Bret" ---02/21/2016 02:11:53 PM---I am going to propose that TAXII 2.x does NOT allow non-encrypted communications and propose that th
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 02/21/2016 02:11 PM
Subject: [cti-taxii] HTTPs
Sent by: <cti-taxii@lists.oasis-open.org>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]