- edited description
Part 2 text prevents the use of TLS 1.3
As reported by Ivan Ristic on #216, the current text in part 2:
Section 7.1 of Financial-grade API - Part 1: Read Only API Security Profile shall apply, with the following additional requirements:
- Only the following 4 cipher suites shall be permitted:
<…>
prevents the use of TLS 1.3 which doesn’t support these ciphers.
I suggest the whole block is prefixed with text along the lines of “… If not using TLS 1.3 or later …”.
I also checked into the status of BCP195; there’s no current draft I can find to update it to cover TLS 1.3 considerations. The feeling on the WG last year seemed to be that TLS1.3 does not require the same degree of profiling that TLS 1.2 did, e.g. https://mailarchive.ietf.org/arch/msg/uta/1-ZbvY7HoLktPQk6U-YszUzEb9o
Comments (6)
-
reporter -
reporter - edited description
-
- changed status to closed
FAPI-RW: Apply cipher restrictions to < TLS 1.3
These ciphers don't exist in TLS 1.3, and there's no currently known reason to apply any restrictions to TLS 1.3.
closes
#248→ <<cset b0c2a3371099>>
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment