Changes

25 bytes added , 18:13, 5 October 2022

no edit summary

Line 2: Line 2:

==Certificate Recommendations and Guidance==

−

In support of the HTTPS Everywhere initiative, a [~~[Media~~:Recommendations for TLS Server Certificates~~.pdf|recommendations document]~~] was developed for the purpose of identifying the minimum requirements for TLS server certificate type and content, issuing CA conformance and website responsibilities that apply to all externally facing GC websites. This effort was led by TBS OCIO in close collaboration with members of the HTTPS working group including CRA, CSE, ESDC and SSC.

+

In support of the HTTPS Everywhere initiative, a [https://wiki.gccollab.ca/images/9/92/Recommendations_for_TLS_Server_Certificates_-_14_May_2021.pdf Recommendations for TLS Server Certificates] was developed for the purpose of identifying the minimum requirements for TLS server certificate type and content, issuing CA conformance and website responsibilities that apply to all externally facing GC websites. This effort was led by TBS OCIO in close collaboration with members of the HTTPS working group including CRA, CSE, ESDC and SSC.

While there are many technical details within the report that are not captured in this brief summary, the most important recommendations are:

Line 16: Line 16:

||

−

| style="width: 500px" align="center" | For additional information, please see [~~[Media~~:~~Recommendations for TLS Server Certificates~~.pdf|Recommendations for TLS Server Certificates]] for GC Public Facing Web Services or contact TBS-CIOB Cybersecurity ([mailto:zzTBSCybers@tbs-sct.gc.ca zzTBSCybers@tbs-sct.gc.ca])

+

| style="width: 500px" align="center" | For additional information, please see [https://wiki.gccollab.ca/images/9/92/Recommendations_for_TLS_Server_Certificates_-_14_May_2021.pdf Recommendations for TLS Server Certificates] for GC Public Facing Web Services or contact TBS-CIOB Cybersecurity ([mailto:zzTBSCybers@tbs-sct.gc.ca zzTBSCybers@tbs-sct.gc.ca])

|}

Line 59: Line 59:

* In the absence of HSMs, risk mitigation measures should include effective monitoring and auditing of the system so that private key compromise can be detected as early as possible followed immediately with revocation of the associated server certificate.

−

Per the [~~[Media~~:~~Recommendations for TLS Server Certificates~~.pdf|Recommendations for TLS Server Certificates]] [PDF], “care must be exercised when using multi-domain and wildcard certificates to ensure collateral damage is minimized in the event of private key compromise. Copying the same private key to multiple web servers is strongly discouraged unless appropriate risk mitigation measures are in place such as using CSE approved Hardware Security Modules to protect the private key.”

+

Per the [https://wiki.gccollab.ca/images/9/92/Recommendations_for_TLS_Server_Certificates_-_14_May_2021.pdf Recommendations for TLS Server Certificates] [PDF], “care must be exercised when using multi-domain and wildcard certificates to ensure collateral damage is minimized in the event of private key compromise. Copying the same private key to multiple web servers is strongly discouraged unless appropriate risk mitigation measures are in place such as using CSE approved Hardware Security Modules to protect the private key.”

Download the Recommendations for TLS Server Certificates.pdf:

−

~~[[File:Pdf icon.png|75px|left|link=https://wiki.gccollab.ca/images/8/89/Recommendations_for_TLS_Server_Certificates.pdf]]~~

[[File:Pdf icon.png|75px|left|link=https://wiki.gccollab.ca/images/9/92/Recommendations_for_TLS_Server_Certificates_-_14_May_2021.pdf]]

−

===HTTP Public Key Pinning (HPKP)===

Michael.brownlie

95

edits

Changes

GC HTTPS Certificate Guidance (view source)

Revision as of 18:13, 5 October 2022