[Openid-specs-fapi] Issue #461: FAPI2-Baseline - has the time come to recommend/require TLS 1.3? (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Mon Dec 6 22:51:05 UTC 2021
New issue 461: FAPI2-Baseline - has the time come to recommend/require TLS 1.3?
https://bitbucket.org/openid/fapi/issues/461/fapi2-baseline-has-the-time-come-to
Joseph Heenan:
The current TLS restrictions in [https://openid.net/specs/fapi-2\_0-baseline-ID1.html#name-network-layer-protections](https://openid.net/specs/fapi-2_0-baseline-ID1.html#name-network-layer-protections) are a little weaker than FAPI1-Adv, in particular FAPI2-Baseline allows the user of various ciphers known to be insecure.
We could make this much easier by just requiring the use of TLS 1.3. However I’m not sure we’re quite at that point yet?
It feels like TLS 1.3 support should at least be a ‘should’. And we should probably add that language from FAPI1-Adv that reduces the ciphers that can be used in TLS 1.2.
For browser support, see: [https://caniuse.com/tls1-3](https://caniuse.com/tls1-3)
[https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-](https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-)
More information about the Openid-specs-fapi
mailing list