[Openid-specs-fapi] Issue #707: Very restrictive list of TLS ciphers suits (openid/fapi)
dag.sneeggen
issues-reply at bitbucket.org
Mon Aug 19 07:37:15 UTC 2024
New issue 707: Very restrictive list of TLS ciphers suits
https://bitbucket.org/openid/fapi/issues/707/very-restrictive-list-of-tls-ciphers-suits
Dag Sneeggen:
The section [https://openid.net/specs/fapi-2\_0-security-profile-ID2.html#name-tls-12-permitted-cipher-sui](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#name-tls-12-permitted-cipher-sui) lists 4 allowed cipher suites \(or two really\).
My company also has a very restrictive TLS 1.2 cipher suites but we have one more allowed suite: `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`.
We’ve done this selection not only based on best practises such as [https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/), but also several eID compliance requirements \(MitID, FTN, DigID, iDIN, etc\). It would be very difficult, if not impossible, to offer FAPI with these eIDs because the TLS requirements are not aligned.
So my question is: is there a specific reason why this cipher suite is not allowed? Would it be possible to include it in the list?
More information about the Openid-specs-fapi
mailing list