Introduction
The following notes are gathered from Subject Matter Expert guidance and responses to participant questions.
SSL Certificates
An SSL certificate must be TLS version 1.2 and above. EV certificates are not explicitly required. A DH should use a reputable public CA e.g. a widely used browser. A DH that maintains an unreasonably restrictive CA list, and consequently fails to make a revocation call to an ADR, would not be compliant with the Consumer Data Standards.
Cipher suite support
The CDS, in line with FAPI, limits cipher suites to:
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
The Data Holder has discretion to choose which of those ciphers to support. It is acceptable to support only two of the listed cipher suites.
Comments
0 comments
Please sign in to leave a comment.