InCommon Technical Discussions

[David Langenberg <>]

So, maybe I missed something here (I have a cold today), but why do we care 
about the foreign site’s SSL grade?  Having SSL, yes, I can see that, but 
beyond that, if my institution wants to run SSLv1 with a 256K key signed by 
CNNIC, isn’t that a risk that only affects us?  

Dave

--
David Langenberg
Asst Director, Identity Management
The University of Chicago 
 

On 11/8/17, 3:59 PM, 
"
 on behalf of Nick Roy" 
<
 on behalf of 
>
 wrote:

    
    
    On 11/8/17 1:58 PM, Cantor, Scott wrote:
    >> RECOMMENDED:
    >>
    >>    SSL certificates on endpoints are valid
    > That seems like a slippery slope: valid re: dates? Specific CAs? Key 
sizes? What about ciphers, or use of TLS 1.0, etc.?
    >
    > Requiring a logo is, I think, underspecified, we should mandate 
specific size(s).
    >
    > I'd like to see errorURL be required with guidance around what should 
be behind it.
    
    We think errorURL should be included as well, but since it was not part
    of the 'required' elements that AAC specified (AAC assumed errorURL was
    part of the mdui: information, and it is not) that means this would have
    to go back to ACC to make errorURL a separate required element.
    
    Agree re: specific requirements for SSL and logo.
    
    Here is my proposed requirement for SSL for endpoints (since it's
    recommended but not required):
    
    - Achieve a grade of A on the Qualys SSL scanner [1]
    
    And for HTTPS Logo URL:
    
    - Must result in an HTTP 200 in response to a GET request
    - Image must be either a PNG or JPG
    - Image must be 80 pixels in width by 60 in height
    
    [1] https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
    
    Let me know if you think this is something that would better be
    discussed in detail by the Ops Advisory Group or in some other venue.
    
    Thank you,
    
    Nick
    
    >
    > -- Scott
    >
    >

Attachment: smime.p7s
Description: S/MIME cryptographic signature