Adopt BCP 195 for TLS ciphers

[nils-work]

Description

Consider the change proposed as Stage 2 in #643 - Update TLS cipher suite requirements to address DHEat Attacks and Raccoon Attack vulnerabilities

Intention and Value of Change

Improves transaction layer security to prevent exploits including the DHEat Attack and Raccoon Attack.

Area Affected

The list of supported ciphers documented in Security Profile -> Transaction Security -> Ciphers.

Change Proposed

(Stage 2 from #643 - Update TLS cipher suite requirements to address DHEat Attacks and Raccoon Attack vulnerabilities):

Adopt BCP 195 rather than explicitly listing required ciphers

This stage changes the supported ciphers section to remove reference to explicit ciphers, and instead, refer to BCP 195. There are some relevant TLS considerations in the FAPI profile, so it is proposed that the standard is changed to clearly adopt section 8.5 of FAPI 1 Advanced, and then further constrain it by only permitting ciphers recommend in the current BCP 195.

In addition to section 8.5 of [FAPI-1.0-Advanced] only cipher suites recommended by [BCP 195] SHALL be permitted.

Whilst TLS_ECDHE_*** cipher suites are recommended by BCP 195, they are not required. Consideration should be given as to whether the recommended ciphers actually be REQUIRED by the Consumer Data Standards.

Alternatively, another solution option is to only implement stage 1 and defer to BCP 195 when the standards are uplifted to FAPI 2.0.

DSB Proposed Solution

The current DSB proposal for this issue is in https://github.com/ConsumerDataStandardsAustralia/standards-maintenance/issues/648#issuecomment-2257415305