InCommon Technical Discussions

[Nick Roy <>]

On 11/8/17 1:58 PM, Cantor, Scott wrote:
>> RECOMMENDED:
>>
>>    SSL certificates on endpoints are valid
> That seems like a slippery slope: valid re: dates? Specific CAs? Key sizes? 
> What about ciphers, or use of TLS 1.0, etc.?
>
> Requiring a logo is, I think, underspecified, we should mandate specific 
> size(s).
>
> I'd like to see errorURL be required with guidance around what should be 
> behind it.

We think errorURL should be included as well, but since it was not part
of the 'required' elements that AAC specified (AAC assumed errorURL was
part of the mdui: information, and it is not) that means this would have
to go back to ACC to make errorURL a separate required element.

Agree re: specific requirements for SSL and logo.

Here is my proposed requirement for SSL for endpoints (since it's
recommended but not required):

- Achieve a grade of A on the Qualys SSL scanner [1]

And for HTTPS Logo URL:

- Must result in an HTTP 200 in response to a GET request
- Image must be either a PNG or JPG
- Image must be 80 pixels in width by 60 in height

[1] https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

Let me know if you think this is something that would better be
discussed in detail by the Ops Advisory Group or in some other venue.

Thank you,

Nick

>
> -- Scott
>
>