1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Very restrictive list of TLS ciphers suites

Issue #707 duplicate
Dag Sneeggen created an issue

The section https://openid.net/specs/fapi-2_0-security-profile-ID2.html#name-tls-12-permitted-cipher-sui lists 4 allowed cipher suites (or two really).

My company also has a very restrictive TLS 1.2 cipher suites but we have one more allowed suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256.

We’ve done this selection not only based on best practises such as https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/, but also several eID compliance requirements (MitID, FTN, DigID, iDIN, etc). It would be very difficult, if not impossible, to offer FAPI with these eIDs because the TLS requirements are not aligned.

So my question is: is there a specific reason why this cipher suite is not allowed? Would it be possible to include it in the list?

Comments (6)

  2. Joseph Heenan

    Hi Dag,

    The ciphers in FAPI are based on https://www.rfc-editor.org/rfc/rfc9325.html#name-cipher-suites-for-tls-12 which is maintained by the TLS working group in IETF.

    My recollection is that the last time a similar subject was discussed the FAPI working group thought the TLS working group in the IETF is in a much better place (more relevant expertise present there) to make these kind of judgements so I’d probably suggest asking your question on their mailing list:

    https://mailman3.ietf.org/mailman3/lists/tls@ietf.org/

    If you do this please do let us know what kind of response you get. I’d also be interested to know exactly what criteria the current ciphers don’t meet.

  4. Dag Sneeggen reporter

    Okay, thanks for the info guys. Seems like either my company needs to drop TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 or I’ll have to ask the WG like Joseph suggested.

  7. Log in to comment
Assignee
Type
bug
Priority
minor
Status
duplicate
Component
FAPI2: Security Profile
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!