kingthorin
commented
1 month ago Sure. Not sure if it's best here or as part of the cheat sheet series. Lemme see if I can drum up some other input.
Open MarkSRobinson opened 1 month ago
kingthorin
commented
1 month ago Sure. Not sure if it's best here or as part of the cheat sheet series. Lemme see if I can drum up some other input.
bkimminich
commented
1 month ago Agree that this sounds like a good Cheat Sheet! Maybe there's even one where this could fit in already?
kwwall
commented
1 month ago @MarkSRobinson - Would you mind bring this up as an issue for the OWASP Cheat Sheet Series at https://github.com/OWASP/CheatSheetSeries/issues ? I am both a contributor and reviewer of Cheat Sheets and I think this would be more appropriate there. Thanks.
oej
commented
1 month ago There is a discussion in the IETF UTA wg about writing specs for mTLS which is missing.
MarkSRobinson
commented
1 month ago @kwwall Good idea - https://github.com/OWASP/CheatSheetSeries/issues/1492
I've been working with cross-organization mTLS for quite a while and the standard guidance (just do whatever you want) is remarkably terrible.
Would OWASP be interested in publishing a guide on how to do it right that focuses on security, operations, and not emailing certificates around?