ambiguity in [crypto_certificate_verification] question

[TonyLHansen]

Regarding this silver question:

[crypto_certificate_verification] The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

When discussing this question in the ONAP Security Commitee, several people raised the concern: "If the project only supports using SSL and not TLS, then does that mean they can select N/A?"

Now, there are other CII questions (e.g., [crypto_tls12]) that recommend/require moving away from SSL and onto TLS 1.2 or later, and [crypto_tls12] has the annotation "Note that the predecessor of TLS was called SSL.".

But without a similar annotation or other indication about the applicability of the question to SSL, [crypto_certificate_verification] COULD be read to mean that you do not have to do certificate verification when the remote site only supports SSL and has not yet upgraded to TLS.

I'm sure this is not what was intended. I would like to recommend that an annotation be added to [crypto_certificate_verification] along the lines of:

[crypto_certificate_verification] (updated) The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A). (This requirement applies to all versions of SSL and TLS.)