Open kieran242 opened 1 month ago
jmelancongen
commented
1 month ago This Annex seems to overlap quite a bit with the recently discussed "Security Extension" concept that was discussed during the last Cloud Profile meeting with the TSC. Is this related to it or is it an independant proposal?
kieran242
commented
1 month ago This Annex seems to overlap quite a bit with the recently discussed "Security Extension" concept that was discussed during the last Cloud Profile meeting with the TSC. Is this related to it or is it an independant proposal?
The Ciphers were presented at the Cloud Profile Virtual meetings then Discussed in TC and VE at Bangkok F2F meetings on the last day and as per advice and action item from those meetings the Issue was raised and this Pull Request to gather further comments. Further to this within the Issue and this PR I have defined the scope to just Ciphers after comments about that at the meetings.
Regarding the TSC, yes it was discussed with them at the same meeting and will be further in San Diego.
kieran242
commented
1 month ago LGTM, only question is what "bodies" might qualify as but thats very esoteric, they carry the defacto standard.
Thank you Axel, that is why I further raised the PR to get more targeted consensus as to "What Bodies" and either add or remove Ciphers to this list.
AxelKeskikangas
commented
1 month ago I think they are sufficient to reach a consensus of acceptable algorithms, internet standardization is not always as clear as only relying on IETF & other "proper" bodies.
ocampana-videotec
commented
1 month ago Sorry, but I have the feeling we are recreating the issues we had with Profile Q. Security is a moving target, we cannot put it in a technical specification.
From my perspective, the choice of the ciphers is a quality issue, which is orthogonal to the technical specifications. If we want to create an informative annex so that we can instruct people to look at the right organizations for security it is fine for me, although I think it may not be very useful.
kieran242
commented
1 week ago Thanks all for update to the PR I will update accordingly.
This PR has been created off the back of issue #483 and note as per my comment in the issue I am not defining or proposing algorithms of digital signature and key exchange etc this is I believe outside the ONVIF Standards scope of reference.
I have created as suggested an additional Annex to the ONVIF Advanced Security Specification with a small subset of ciphers covering TLS 1.2 / 1.3 that are common recommendations issued as guidance by the bodies Cloudflare, IETF (TLS 1.2, TLS1.3), Mozilla, and ciphersuite.info (TLS 1.2, TLS 1.3).
I also wish to use this PR to gather information from other ONVIF members as to further extend the PR as appropriate.
N.B. I have not included the following two cipher suites of TLS1.3 TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256 only due to the fact that neither Cloudflare nor Mozilla recommended them. I will be happy to include them should there be a consensuses reached on them.