Title
Transport Layer Security Profile
Description
This profile provides detailed information, guidance, and standards to be used for the usage of Transport Layer Security version 1.3 (TLS 1.3) protocol to provide authentication, confidentiality and integrity services for protecting the communication between service providers and consumers.

Reference document

Org
FMN
Pubnum
Date
2022-12-02
Version
Title
Proposed FMN Spiral 5 Specification

Taxonomy

Standards

Obligation: MANDATORY, Lifecycle: CANDIDATE

Base standard

Guidance

Certificate validation

  • Federated services that implement TLS shall perform certificate validation. Certificate validation shall include checking at least full certificate path validation, certificate validity period and certificate revocation status.
  • Federated services that implement TLS shall be able to check the revocation status of digital certificates through HTTP or OSCP endpoints.
  • If compliance and validation of Digital Certificates fail, TLS connections shall be terminated

Cryptographic algorithms and cipher suites

  • TLS_AES_128_GCM_SHA256 (mandatory)
  • TLS_AES_256_GCM_SHA384 (recommended)
  • TLS_CHACHA20_POLY1305_SHA256 (recommended)
  • If no cipher suite could be negotiated, TLS connections shall be terminated.

Maximum lifetime and session termination

  • The upper limit for the lifetime of a TLS session shall not exceed 48 hours.
  • When the TLS connection is closed, ephemeral keys shall be securily deleted.

Disallowed standards and extensions

  • SSL version 2.0, version 3.0 and TLS version 1.0 or 1.1
  • The Heart Beat Extension (RFC 6520)

Status

URI

History

Flag Date RFC Version
added 2023-01-23 14-32 15
UUID
7cf738bd-86f2-4598-8213-51d4d207163a

Utilization

This profile is used by the following profiles: