Open danielcuthbert opened 5 days ago
@danielcuthbert ?
You know I did ponder this and im torn. Yes and no. But then should TLS be in crypto? It could fit in 9.1 nicely but that is looking a bit bare too.
This seems way too detailed. There are hundreds of crypto requirements we could aim for. Where do we stop? Why is this critical?
And ❤️ you all, asking nicely.
ECH is really great/important for privacy but I am wondering whether it is really for prime time as it is not yet RFC status. And whether we should require it for now or if this should just be a recommendation.
I politely suggest we push it to ASVS post 5.0 release.
@randomstuff one can argue that when Cloudflare has deployed it, for me that's massive scale primetime right? you couldn't get more of a huge platform to iron out the bugs
I'm not technically competent to comment the topic but...
ECH is really great/important for privacy but I am wondering whether it is really for prime time as it is not yet RFC status. And whether we should require it for now or if this should just be a recommendation.
For OAuth/OIDC we use not released drafts, we aligned many requirements from NIST not released drafts, so it is more question does it make sense as a security requirement - that is general enough, has the impact and is not too niche.
All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
(I am going to mark PR as draft and wait to see what else @danielcuthbert finds and also result of discussion between @jmanico and @danielcuthbert )
All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
I added separate issues for a few things in v6!
All valid questions @elarlang ill report back with outcomes. @jmanico what other cryptography elements do you feel 5.0 is missing?
I added separate issues for a few things in v6!
Where did you add those @jmanico ?
Encrypted Client Hello (ECH) pertains to TLS and its goal to protect metadata by encrypting client-sent data like the Server Name Indication (SNI) that might otherwise leak potentially sensitive information.
V6.8 In-Use Data Cryptography broadly addresses data protection during use and during transmission, this would be a suitable section to add a requirement for ECH
more on ECH can be found on the amazing Cloudflare blog https://blog.cloudflare.com/announcing-encrypted-client-hello/
As such, it's a huge privacy tool and I am proposing we add it to V6
| 6.8.3 | [ADDED] Verify that Encrypted Client Hello (ECH) is supported and properly configured within the application’s TLS settings to prevent exposure of sensitive metadata, such as the Server Name Indication (SNI), during TLS handshake processes. | | ✓ | ✓ | |