TLS 1.0 should be banned
Currently, API overview says
TLS version 1.0 is the most widely deployed version, and will give the broadest interoperability.
This probably is unacceptable for financial services as this is completely insecure. It should follow [RFC7525] Sheffer, Y., Holz, R. and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015.
Comments (11)
-
-
The OBWG report stated that: "API connections and data in transit should be encrypted using TLS v1.2 as a minimum."
I suggest some statement like the above in conjunction with the reference to RFC7525
-
reporter Agreed. Will incorporate in the coming draft.
-
reporter - changed status to open
agreement in the WG
-
reporter - changed status to resolved
Done. Now:
7.1 TLS Considerations Since confidential information is being exchanged, all interactions shall be encrypted with TLS/SSL (HTTPS) in accordance with the recommendations in RFC7525. TLS version 1.2 or later shall be used for all communications.
-
reporter - changed component to Part 1: RO Security
-
reporter - changed component to Part 1: Baseline
-
reporter - changed component to FAPI 1 - Part 1: Baseline
-
reporter - changed component to FAPI 1 – Part 1: Baseline
-
reporter - changed component to FAPI 1 – Baseline
-
reporter - changed component to FAPI 1: Baseline
- Log in to comment
re
#13- TLS 1.0 should be banned→ <<cset a07bc0704252>>