www-community icon indicating copy to clipboard operation
www-community copied to clipboard
verified publisher icon OWASP

Would OWASP be interested in publishing a guide on how to do cross-organization mTLS?

Open MarkSRobinson opened this issue 1 year ago • 5 comments

I've been working with cross-organization mTLS for quite a while and the standard guidance (just do whatever you want) is remarkably terrible.

Would OWASP be interested in publishing a guide on how to do it right that focuses on security, operations, and not emailing certificates around?

MarkSRobinson avatar Sep 09 '24 16:09 MarkSRobinson

Sure. Not sure if it's best here or as part of the cheat sheet series. Lemme see if I can drum up some other input.

kingthorin avatar Sep 09 '24 16:09 kingthorin

Agree that this sounds like a good Cheat Sheet! Maybe there's even one where this could fit in already?

bkimminich avatar Sep 09 '24 17:09 bkimminich

@MarkSRobinson - Would you mind bring this up as an issue for the OWASP Cheat Sheet Series at https://github.com/OWASP/CheatSheetSeries/issues ? I am both a contributor and reviewer of Cheat Sheets and I think this would be more appropriate there. Thanks.

kwwall avatar Sep 15 '24 02:09 kwwall

There is a discussion in the IETF UTA wg about writing specs for mTLS which is missing.

oej avatar Sep 16 '24 16:09 oej

@kwwall Good idea - https://github.com/OWASP/CheatSheetSeries/issues/1492

MarkSRobinson avatar Sep 17 '24 21:09 MarkSRobinson