Requirement 3: TLS

[tolim]

From the requirements section:

5.1.3 Requirement 3: TLS

The CSAF document is retrievable from a website which uses TLS for encryption and server authenticity. The CSAF document MUST not be downloadable from a location which does not encrypt the transport.

I like that TLS is required here. Two points as comments:

• The requirement emphasizes encryption for data protection. However, most of the published advisories are already public so encryption is not really required. We need to ensure authenticity of the server and data integrity for the document download.
• Advisories may be located in local unencrypted network shares within organizations. This implementation may be perfectly adequate from a security point of view. So we should avoid defining that the document MUST NOT be downloadable from a non-encrypting location.

This would be my suggestion: The organization's default website offering CSAF documents MUST provide data protection based on TLS to ensure server authenticity and data integrity.

[sthagen]

I think the encryption part is still important to ensure the TLP (or other distribution) protocol adherence (transitivity). Maybe we can find a way to state the TLS requirement for external exchanges?

[sthagen]

I suggest to emphasize the TLS requirement for external access to be the default mechanism, like maybe:

5.1.3 Requirement 3: TLS

The CSAF document is per default retrievable from a website which uses TLS for encryption and server authenticity. The CSAF document MUST not be downloadable from a location which does not encrypt the transport when crossing organizational boundaries to maintain the chain of custody.

or something like this. Rationale is twofold:

1. allow intra organizational storage and transit as an organization sees fit
2. enforce the offering of authenticated between organizations that maintains the integrity of the document