This repository houses the interactions, consultations and work management to support the maintenance of baselined components of the Consumer Data Right API Standards and Information Security profile.
Adopt BCP 195 rather than explicitly listing required ciphers
This stage changes the supported ciphers section to remove reference to explicit ciphers, and instead, refer to BCP 195. There are some relevant TLS considerations in the FAPI profile, so it is proposed that the standard is changed to clearly adopt section 8.5 of FAPI 1 Advanced, and then further constrain it by only permitting ciphers recommend in the current BCP 195.
Whilst TLSECDHE*** cipher suites are recommended by BCP 195, they are not required. Consideration should be given as to whether the recommended ciphers actually be REQUIRED by the Consumer Data Standards.
Alternatively, another solution option is to only implement stage 1 and defer to BCP 195 when the standards are uplifted to FAPI 2.0.
Description
Consider the change proposed as Stage 2 in #643 - Update TLS cipher suite requirements to address DHEat Attacks and Raccoon Attack vulnerabilities
Intention and Value of Change
Improves transaction layer security to prevent exploits including the DHEat Attack and Raccoon Attack.
Area Affected
The list of supported ciphers documented in Security Profile -> Transaction Security -> Ciphers.
Change Proposed
(Stage 2 from #643 - Update TLS cipher suite requirements to address DHEat Attacks and Raccoon Attack vulnerabilities):
Adopt BCP 195 rather than explicitly listing required ciphers
This stage changes the supported ciphers section to remove reference to explicit ciphers, and instead, refer to BCP 195. There are some relevant TLS considerations in the FAPI profile, so it is proposed that the standard is changed to clearly adopt section 8.5 of FAPI 1 Advanced, and then further constrain it by only permitting ciphers recommend in the current BCP 195.
Whilst TLSECDHE*** cipher suites are recommended by BCP 195, they are not required. Consideration should be given as to whether the recommended ciphers actually be REQUIRED by the Consumer Data Standards.
Alternatively, another solution option is to only implement stage 1 and defer to BCP 195 when the standards are uplifted to FAPI 2.0.