For each actor in CA:Sec, the options labeled “R” shall be selected.

TLS Floor  Option

Actors that support this option have the ability to both:

• Operate with the highest level of cyber protection for the TLS-protected communication channel per the current standards and IETF Best Current Practice (BCP195, RFC5246 at the time of writing – with TLS 1.2 or higher and selected cipher suites), and
• Restrict to the use of the current version of TLS (1.2 at the time of writing) [RFC5246] or higher, with strong recommendation for support of TLS version 1.3 [RFC8446].

Note: The recommendation for support of higher versions of TLS (1.3 at the time of writing) will become mandatory in the future.

An actor that supports this option shall be able to comply with the current standards and IETF Best Current Practice (BCP195, RFC5246 at the time of writing) with the additional restrictions enumerated in ITI-19 TLS Floor Option.

For details see RFC7525: https://www.rfc-editor.org/rfc/rfc7525.

FQDN Validation of Server Certificate Option 

See sections Machine to Machine Authentication and FQDN Validation of Server Certificate.

Note: IETF Best Current Practice BCP195 recommends, but does not require, FQDN validation.

When an actor implements this option, it need not be capable of functioning without this validation.