...
- What else needs to be done to ready materials for BE 2020 community consensus?
- This There is a working draft of an FAQ. Plan is that it will be published on the InCommon website as a companion to the BE material
- There is a chance that once the community examines the proposed BE 2020 statements, for example around error URL, more clarity will be required.
- There is concern regarding this proposed BE statement ( difficult for an organization to be sure it is in compliance):
Statement - All SP service endpoints must be secured with current, supported, unbroken transport layer encryption. - DavidB has looked into this for U of Alaska. There are not a lot of options in the approaches
- Eric: Everyone deals with this in their local environment, it’s related to SIRTFI,
- hard to tie down to one specific metric, regarding how many versions back.
- It’s always nice to have specifics, but if it’s tough
- Suggestion to use OWASP materials / wording to tweak this
- Each CTAB member should each read thru the OWASP cheatsheets:
- https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
- Question on how often the OWASP cheat sheet documents are updated. Issue of drifting changes
- AI Albert email CTAB about reviewing the two OWASP cheatsheets (done)
- Plan is that Tech Ex will be used for last round of feedback from community on BE 2020 plan prior to moving into community consensus
- See the two CTAB Tech Ex 2019 sessions listed below
...