[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] HTTPs
Jason Keirstead wrote this message on Sun, Feb 21, 2016 at 18:49 -0400: > Currently the spec has changed from "TAXII must require HTTPS" to "TAXII > must require HTTPS TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and > <insert two full pages of text here>. > > I very much disagree with us specifying TLS levels and ciper suites in our > specification. There are many problems with this > > - There will be vendors who do not have the ability to implement the > prescribed suite for a variety of reasons, and if this is part of the spec > we are basically saying those vendors can't implement TAXII. I cannot thing of one reason that would prevent a vendor from implementing this other than engineering time... This is purely a make a vendors life easier at the cost of security argument and this argument is exactly why we have the sorry state of security we do today... > - There will be consumers who will not want to implement the prescribed > suite for a variety of reasons, and if this is part of the spec we are > basically saying those consumers can't consume TAXII I'm fine w/ requiring symmetric security equivalent of >128bit (not equal to), but we still need a MTI minimum for compatibility reasons... > - The minimally viable cipher suite viable today is not the same one that > will be minimally viable 6 months from now, so the whole chapter is > entirely pointless and actually can be counter-productive, as at that point > it will be mandating an insecure baseline. Things don't move that quickly, though I will point out that post-quantum public/private algos are coming soon... -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]