tghosth
commented
5 days ago Does it fit better into V9 with other TLS stuff?
Open danielcuthbert opened 5 days ago
tghosth
commented
5 days ago @danielcuthbert ?
danielcuthbert
commented
5 days ago You know I did ponder this and im torn. Yes and no. But then should TLS be in crypto? It could fit in 9.1 nicely but that is looking a bit bare too.
jmanico
commented
4 days ago This seems way too detailed. There are hundreds of crypto requirements we could aim for. Where do we stop? Why is this critical?
And ❤️ you all, asking nicely.
randomstuff
commented
4 days ago ECH is really great/important for privacy but I am wondering whether it is really for prime time as it is not yet RFC status. And whether we should require it for now or if this should just be a recommendation.
jmanico
commented
4 days ago I politely suggest we push it to ASVS post 5.0 release.
danielcuthbert
commented
4 days ago @randomstuff one can argue that when Cloudflare has deployed it, for me that's massive scale primetime right? you couldn't get more of a huge platform to iron out the bugs
elarlang
commented
4 days ago I'm not technically competent to comment the topic but...
ECH is really great/important for privacy but I am wondering whether it is really for prime time as it is not yet RFC status. And whether we should require it for now or if this should just be a recommendation.
For OAuth/OIDC we use not released drafts, we aligned many requirements from NIST not released drafts, so it is more question does it make sense as a security requirement - that is general enough, has the impact and is not too niche.
danielcuthbert
commented
3 days ago All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
tghosth
commented
3 days ago (I am going to mark PR as draft and wait to see what else @danielcuthbert finds and also result of discussion between @jmanico and @danielcuthbert )
jmanico
commented
2 days ago All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
I added separate issues for a few things in v6!
tghosth
commented
2 days ago All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
I added separate issues for a few things in v6!
Where did you add those @jmanico ?
Encrypted Client Hello (ECH) pertains to TLS and its goal to protect metadata by encrypting client-sent data like the Server Name Indication (SNI) that might otherwise leak potentially sensitive information.
V6.8 In-Use Data Cryptography broadly addresses data protection during use and during transmission, this would be a suitable section to add a requirement for ECH
more on ECH can be found on the amazing Cloudflare blog https://blog.cloudflare.com/announcing-encrypted-client-hello/
As such, it's a huge privacy tool and I am proposing we add it to V6
| 6.8.3 | [ADDED] Verify that Encrypted Client Hello (ECH) is supported and properly configured within the application’s TLS settings to prevent exposure of sensitive metadata, such as the Server Name Indication (SNI), during TLS handshake processes. | | ✓ | ✓ | |