...
Discussion
Baseline Expectations (BE) 2020
- OWASP cheat sheets - how do we apply them to BE requirements (TomB)
- https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
- https://cheatsheetseries.owasp.org/cheatsheets/TLS_Cipher_String_Cheat_Sheet.html
- TomB: for consumer electronics , not subject to those restrictions. People can travel with their cellphones.
- Regarding this BE statement:
- "All SP service endpoints must be secured with current, supported, unbroken transport layer encryption"
- Need to have appropriately encrypted endpoints
- The 2 OWASP cheat sheets demonstrate there are many details and choices
- CTAB must decide which are satisfactory choices
- TomB shared scanning mechanism used at U. Chicago
- DavidB: suggests most restrictive approach
- Jon: if a platform (eg, Windows) can’t support the most restrictive approach, is that outside of baseline?
- We must do the research to tell participants what to do on an open SSL platform and what to do on Windows
- Hard to figure out the best approach on containers
- SSL Labs has an API, can be used to measure, provides a grade and provides feedback
- Goal now is to support TLS 1.2 but eventually the goal posts will change
- TLS 1.1 will soon mean a grade of B instead of A
- If we apply the SSL Labs standard to a commercial SP (such as Box) that is crucial for campuses, it will be a problem if Box gets “kicked out”
- Suggestion that MC, Rachana, and others try this SSL Labs test
- AI (Rachana) talk with her team to get more perspectives about improving the TLS
- AI (John) talk with his team to get input about improving TLS
- Use API to automate the SSL Labs testing?
- What would be the next steps and consequences and timeframe for fixing if an organization does not pass
- It would be convenient to reply on SSL testing and grade for Baseline Expectations
- There would be cycle time for remediation if grade falls below an A
- Issues around International browsers ?
- Is the suggestion that participants test themselves and submit their results?
- Or would InCommon do the testing?
- [AI] Albert consult with NickR on engineering or other practical concerns that would arise if InCommon does the testing around secure endpoints
- Important to provide guidance on how to disable TLS 1.1
- DavidB found lack of documentation for Windows on this
- CTAB would need to provide guidance
- Find out the top platforms being used, Tomcat, JEDI,
- There will be some support burden; “I want to do this but I don’t know how”
- CTAB needs to figure out what is reasonable, be careful in setting a high bar that is hard to implement
- For those who do not meet this, there would be a process, including dispute resolution, and could lead to extensions being given and/or an exception being mad
- Steering is the final judge in cases where an entity might be removed from metadata
- The community will have time to adhere to any new baseline requirements
- Sirtfi - what do we need to say to clarify? (David)
- Do we need to go beyond “by checking the box you agree to support the SIRTFI framework”
- At U Alaska, they don’t adopt SIRTFI as practice, and that would be OK under the proposed Baseline Expectations. They can respond to a request for SIRTFI and that is what is required.
- AI Albert flesh out the BE 2020 doc with more on SIRTFI, endpoints, and other matters
...