OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

openc2 message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: DKS34 - TLS 1.3 - HTTPS CSPRD Comment

Page 14 lines 39ish-42ish (Section 3.2.3) and page 17 lines 44ish-47ish (Section 4.2)

Since we are ânewâ and TLS 1.3 is current best practice and has been for years, shouldnât we require TLS 1.3? Some argue for 1.2 for backwards compatibility â but there are no OpenC2 instantiations operating 1.2 today so there are no devices to be backwards compatible. If the issue is that there are browsers not yet compatable with TLS1.2, note there are no usecases where either the openc2 producer or the openc2 consumer  is a browser.

 

At a minimum Iâd propose the following change on page 13 lines 44ish-47ish (Section 4.2) for âfull conformanceâ:

Change 

Fully-authenticated implementations of this transfer specification MUST support mutual authentication using public key certificates with full path validation, as specified in Section 3.2.3.

To

Fully-authenticated implementations of this transfer specification MUST support mutual authentication using public key certificates with full path validation and SHALL use TLS 1.3 or higher, as specified in Section 3.2.3.

 

I would also prefer it change in all other places as well eg 

Page 14 lines 39ish-42ish (Section 3.2.3) 

HTTPS, the transmission of HTTP over TLS, is specified in Section 2 of [RFC2818]. OpenC2 endpoints MUST accept TLS version 1.2 [RFC5246] connections or higher for confidentiality, identification, and authentication when sending OpenC2 messages over HTTPS, and SHOULD accept TLS Version 1.3 [RFC8446] or higher connections.

OpenC2 endpoints MUST NOT support any version of TLS prior to v1.2 and MUST NOT support any version of Secure Sockets Layer (SSL).

The implementation and use of TLS SHOULD align with the best currently available security guidance, such as that provided in [RFC7525]/BCP 195.

The TLS session MUST use non-NULL ciphersuites for authentication, integrity, and confidentiality. Sessions MAY be renegotiated within these constraints.

OpenC2 endpoints supporting TLS v1.2 MUST NOT use any of the blacklisted ciphersuites identified in Appendix A of [RFC7540].

OpenC2 endpoints supporting TLS 1.3 MUST NOT implement zero round trip time resumption (0-RTT).

To

HTTPS, the transmission of HTTP over TLS, is specified in Section 2 of [RFC2818]. OpenC2 endpoints MUST accept TLS version 1.3 [RFC8446] connections or higher for confidentiality, identification, and authentication when sending OpenC2 messages over HTTPS.

OpenC2 endpoints MUST NOT support any version of TLS prior to v1.3 and MUST NOT support any version of Secure Sockets Layer (SSL).

The implementation and use of TLS SHOULD align with the best currently available security guidance, such as that provided in [RFC7525]/BCP 195.

The TLS session MUST use non-NULL ciphersuites for authentication, integrity, and confidentiality. Sessions MAY be renegotiated within these constraints.

OpenC2 endpoints supporting TLS 1.3 MUST NOT implement zero round trip time resumption (0-RTT).

 

 

 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]