Missing requirement trusted certificates V9.1

[roelstorms]

9.2.1 states the following

Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the server must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected.

For 9.1 there is no requirement that requires to use trusted certificates. Propose to add 9.1.5: Verify that connections to and from the server use trusted TLS certificates. Where internally generated or self-signed certificates are used, the client must be configured to only trust specific internal CAs and specific self-signed certificates. All others should be rejected.

This section in bold implies you have control over the client and would typically apply for applications used by your employees only. In such a case you would have an SSL certificate which is signed by your companies internal PKI.

[jmanico]

Astute observation, I like it @roelstorms

[cmlh]

Can we extend the verification to Certificate Authorities similar to the process undertaken by https://www.dta.gov.au/our-projects/digital-identity/gatekeeper-public-key-infrastructure-framework and https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#14-obtain-certificates-from-a-reliable-ca too?

[tghosth]

@roelstorms do you think the changes in #1221 make this clearer and cover what you were trying to achieve?

[tghosth]

@roelstorms any further feedback? I will probably close during mid-May if there is no further feedback.

[roelstorms]

No further remarks. Looks good.

[elarlang]

@tghosth - is it actually done and can be closed?

[tghosth]

@roelstorms said it did what he wanted so I am going to close, thanks