For each actor in CA:Sec, the options labeled “R” shall be selected.

Actor

Options

Optionality

Secure Application

Mutual TLS

O (Note 1)

Server-side TLS

O (Note 1)

FQDN Validation of Server Certificate

R

Note 1: The Secure Application shall support one of the following options: Mutual TLS or Server-side TLS.

Mutual TLS  Option

Mutual TLS option is a two-way authentication mechanism where both the server and the client applications identify themselves via the Transport Layer Security (TLS) protocol with the use of digital certificates.

Actors that support this option have the ability to both:

  • Operate with the highest level of cyber protection for the TLS-protected communication channel per the current standards and IETF Best Current Practice (BCP195, RFC5246 at the time of writing – with TLS 1.2 or higher and selected cipher suites), and
  • Restrict to the use of the current version of TLS (1.2 at the time of writing) [RFC5246] or higher, with strong recommendation for support of TLS version 1.3 [RFC8446].

Note: The recommendation for support of higher versions of TLS (1.3 at the time of writing) will become mandatory in the future.

An actor that supports this option shall be able to comply with the current standards and IETF Best Current Practice (BCP195, RFC5246 at the time of writing) with the additional restrictions enumerated in Authenticate Node [ITI-19] section Mutual TLS / Server-side TLS Option.

For details see RFC7525: https://www.rfc-editor.org/rfc/rfc7525.

Server-side TLS  Option

Server-side TLS option is a one-way authentication mechanism where the server identifies itself to the client application via the Transport Layer Security (TLS) protocol with the use of digital certificates. Such authentication mechanism is used in the HTTPS protocol.

The client application uses other means for identification, typically OAuth2/OIDC.

This option is described in the IUA specification for ATNA profile as STX: HTTPS IUA Option.

Note: The abilities and compliance for an actor that supports Server-side TLS option are the same as those described in section Mutual TLS Option.

FQDN Validation of Server Certificate Option 

See sections Machine to Machine Authentication and FQDN Validation of Server Certificate.

Note: IETF Best Current Practice BCP195 recommends, but does not require, FQDN validation.

When an actor implements this option, it need not be capable of functioning without this validation.

  • No labels