OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] HTTPS details in TAXII


My bad language. No problem just saying to do the minimum.

On Nov 11, 2016, at 11:13 AM, Allan Thomson <athomson@lookingglasscyber.com> wrote:

Agree. 

Allan




On Fri, Nov 11, 2016 at 7:59 AM -0800, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:

All,

In Section 2 of the specification we talk about Transport requirements and some of the encryption requirements for implementing TAXII over HTTPS..  I have a question / concern about one of the requirements that we have listed.  It says:

TAXII Servers and Clients MUST implement TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [RFC5289] and MUST NOT offer or negotiate (bid down) an encrypted connection with parameters weaker than TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.

We have heard from a few people that they do not understand what is meant by "weaker than". There is a concern that people that are not super familiar with Crypto will get this wrong. So I am wondering if we can just be silent about this. As such I would like to propose that we just remove that requirement from the specification.

Bret

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]