[Openid-specs-fapi] Issue #248: Part 2 text prevents the use of TLS 1.3 (openid/fapi)

josephheenan issues-reply at bitbucket.org
Wed Jul 17 11:35:44 UTC 2019

New issue 248: Part 2 text prevents the use of TLS 1.3

Joseph Heenan:

The current text in part 2:

> Section 7.1 of Financial-grade API - Part 1: Read Only API Security Profile shall apply, with the following additional requirements:
> 1\. Only the following 4 cipher suites shall be permitted:
> <…>

prevents the use of TLS 1.3 which doesn’t support these ciphers.


I suggest the whole block is prefixed with text along the lines of “… If not using TLS 1.3 or later …”.


I also checked into the status of BCP195; there’s no current draft I can find to update it to cover TLS 1.3 considerations. The feeling on the WG last year seemed to be that TLS1.3 does not require the same degree of profiling that TLS 1.2 did, e.g. [https://mailarchive.ietf.org/arch/msg/uta/1-ZbvY7HoLktPQk6U-YszUzEb9o](https://mailarchive.ietf.org/arch/msg/uta/1-ZbvY7HoLktPQk6U-YszUzEb9o)

More information about the Openid-specs-fapi mailing list