10.10 - I think this requirement is a little dangerous if not implemented correctly and you can end up shooting yourself in the foot - https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead I think adding that this should be applied taking certain considerations into mind would be recommended
10.12 - I would think this would be applicable to L2 as well
10.13 - I think this is too stringent, especially for L1. The threat model is if someone is both able to get the server key + log all traffic. Besides Heartbleed, I don't think that this would be something that a normal L1 application should be worried about. Also, if an attacker has access to the application server, they can steal all the sensitive data anyway.
ossie-git
commented
7 years ago
10.10 - I think this requirement is a little dangerous if not implemented correctly and you can end up shooting yourself in the foot - https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead I think adding that this should be applied taking certain considerations into mind would be recommended
10.12 - I would think this would be applicable to L2 as well
10.13 - I think this is too stringent, especially for L1. The threat model is if someone is both able to get the server key + log all traffic. Besides Heartbleed, I don't think that this would be something that a normal L1 application should be worried about. Also, if an attacker has access to the application server, they can steal all the sensitive data anyway.