- Title
- Transport Layer Security Profile
- Description
- This profile provides detailed information, guidance, and standards to be used for the usage of Transport Layer Security version 1.3 (TLS 1.3) protocol to provide authentication, confidentiality and integrity services for protecting the communication between service providers and consumers.
Taxonomy
Standards
Guidance
Certificate validation
- Federated services that implement TLS shall perform certificate validation. Certificate validation shall include checking at least full certificate path validation, certificate validity period and certificate revocation status.
- Federated services that implement TLS shall be able to check the revocation status of digital certificates through HTTP or OSCP endpoints.
- If compliance and validation of Digital Certificates fail, TLS connections shall be terminated
Cryptographic algorithms and cipher suites
- TLS_AES_128_GCM_SHA256 (mandatory)
- TLS_AES_256_GCM_SHA384 (recommended)
- TLS_CHACHA20_POLY1305_SHA256 (recommended)
- If no cipher suite could be negotiated, TLS connections shall be terminated.
Maximum lifetime and session termination
- The upper limit for the lifetime of a TLS session shall not exceed 48 hours.
- When the TLS connection is closed, ephemeral keys shall be securely deleted.
Disallowed standards and extensions
- SSL version 2.0, version 3.0 and TLS version 1.0, 1.1 or 1.2
- The Heart Beat Extension (RFC 6520)