Comments (5)
Addressed in PR #53.
from openc2-impl-https.
Agree with 'SHOULD' use 1.3 but 'REQUIRED' precludes TLS 1.2 and may inhibit backward compatibility. It is conceded that there are currently no openc2 instances operating today, however existing products may implement in the future. In the interest of backward compatibility and minimizing constraints, suggest SHOULD vice REQUIRED
from openc2-impl-https.
This was discussed at the 19 Dec 2018 IC-SC meeting (attendees were Lemire, Brule, Considine, Kemp, Martinez, Sparrell). Consensus of the meeting was supportive of requiring TLS 1.3 and precluding prior versions of TLS / SSL. Supporting rationales included:
- No known use cases requiring earlier TLS / SSL versions
- Vendors will build to lowest acceptable requirement
- Implementations will likely have a long enough marketplace lifetime that setting a strong minimum requirement is appropriate
- Interoperability is better served by limiting options
from openc2-impl-https.
This was discussed at the January 2019 F2F and the PR language was presented. Several participants asserted that they already have OpenC2 implementations that are using TLS v1.2. Some also indicated they had had significant difficulty getting customers to move to TLS v1.2 from previous versions. General consensus was to keep the existing language.
After hearing the discussion, the original commenter (Duncan Sparrell) withdrew the comment.
from openc2-impl-https.
This comment has been withdrawn. No changes to the HTTPS specification. Closing this issue.
from openc2-impl-https.
Related Issues (20)
- Normative / non-normative language (HTTPS-25) HOT 6
- Remove obsolete "id_ref" from example messages (HTTPS-28) HOT 1
- X-Correlation-ID details (HTTPS-29) HOT 8
- Add links for active cyber defense references (HTTPS-201,-202) HOT 1
- Use real target from Language Spec in Example (HTTPS-203) HOT 1
- Removed GET from methods table (HTTPS-204) HOT 1
- X-Request-ID should be optional (HTTPS-205) HOT 1
- Need "Accept" header requirement (HTTPS-206) HOT 1
- Remove GET from conformance (HTTPS-207) HOT 1
- Fix Conformance for Response Codes (HTTPS-208) HOT 1
- "To" message element data format mismatch (HTTPS-209) HOT 1
- Example messages should use UUIDs (HTTPS-210) HOT 1
- Possible misconception in Section 1.8 Suitability HOT 3
- "Cache-control" header no-cache HOT 8
- Authentication of OpenC2 Message HOT 8
- Handling Response = None HOT 16
- Endpoint path ambiguity HOT 9
- Update Message structure HOT 2
- Media Types and Request ID HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openc2-impl-https.