Permalink
Browse files

describe server security configs as suggested by oliver

  • Loading branch information...
mi-xu committed Oct 12, 2018
1 parent 9872c07 commit 52ff09715b3eab65e5d61e6f6b46bad960180af9
Showing with 18 additions and 3 deletions.
  1. +18 −3 did-methods/https-did-method.md
@@ -83,9 +83,24 @@ You must perform the following steps in order to resolve the DID document from a
## Security Considerations
> TODO: Not sure if this counts as a security concern or a philosophical one that should be discussed elsewhere.
The HTTPS DID method is not fully "self-sovereign" due to its reliance on centralized certificate authorities for establishing trust in the ownership of a domain.
At least TLS 1.2 should be configured to use only strong ciphers suites and to use sufficiently large key sizes. As recommendations may be volatile these days, only the very latest recommendations should be used. However, as a rule of thumb, the following must be used:
- ephemeral keys are to be used
- ECDHE with one of the strong curves {X25519, brainpoolP384r1, NIST P-384, brainpoolP256r1, NIST P-256} shall be used as key exchange
- AESGCM or ChaCha20 with 256 bit large keys shall be used for bulk encryption
- ECDSA with one of the strong curves {brainpoolP384r1, NIST P-384, brainpoolP256r1, NIST P-256} or RSA (at least 3072) shall be used
- Authenticated Encryption with Associated Data (AEAD) shall be used as Mac
- SHA384 or POLY1305 shall be utilized
Examples for strong ciphersuites for now are:
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
More infos on hardening TLS can be found here: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
## Privacy Considerations

0 comments on commit 52ff097

Please sign in to comment.