specs icon indicating copy to clipboard operation
specs copied to clipboard
verified publisher icon onvif

Annex Cipher Reference ONVIF Advanced Security Specification

Open kieran242 opened this issue 1 year ago • 5 comments

This PR has been created off the back of issue #483 and note as per my comment in the issue I am not defining or proposing algorithms of digital signature and key exchange etc this is I believe outside the ONVIF Standards scope of reference.

I have created as suggested an additional Annex to the ONVIF Advanced Security Specification with a small subset of ciphers covering TLS 1.2 / 1.3 that are common recommendations issued as guidance by the bodies Cloudflare, IETF (TLS 1.2, TLS1.3), Mozilla, and ciphersuite.info (TLS 1.2, TLS 1.3).

I also wish to use this PR to gather information from other ONVIF members as to further extend the PR as appropriate.

N.B. I have not included the following two cipher suites of TLS1.3 TLS_AES_128_CCM_SHA256 and TLS_AES_128_CCM_8_SHA256 only due to the fact that neither Cloudflare nor Mozilla recommended them. I will be happy to include them should there be a consensuses reached on them.

kieran242 avatar Oct 21 '24 14:10 kieran242

This Annex seems to overlap quite a bit with the recently discussed "Security Extension" concept that was discussed during the last Cloud Profile meeting with the TSC. Is this related to it or is it an independant proposal?

jmelancongen avatar Oct 22 '24 16:10 jmelancongen

This Annex seems to overlap quite a bit with the recently discussed "Security Extension" concept that was discussed during the last Cloud Profile meeting with the TSC. Is this related to it or is it an independant proposal?

The Ciphers were presented at the Cloud Profile Virtual meetings then Discussed in TC and VE at Bangkok F2F meetings on the last day and as per advice and action item from those meetings the Issue was raised and this Pull Request to gather further comments. Further to this within the Issue and this PR I have defined the scope to just Ciphers after comments about that at the meetings.

Regarding the TSC, yes it was discussed with them at the same meeting and will be further in San Diego.

kieran242 avatar Oct 23 '24 09:10 kieran242

LGTM, only question is what "bodies" might qualify as but thats very esoteric, they carry the defacto standard.

Thank you Axel, that is why I further raised the PR to get more targeted consensus as to "What Bodies" and either add or remove Ciphers to this list.

kieran242 avatar Oct 23 '24 09:10 kieran242

I think they are sufficient to reach a consensus of acceptable algorithms, internet standardization is not always as clear as only relying on IETF & other "proper" bodies.

AxelKeskikangas avatar Oct 23 '24 11:10 AxelKeskikangas

Sorry, but I have the feeling we are recreating the issues we had with Profile Q. Security is a moving target, we cannot put it in a technical specification.

From my perspective, the choice of the ciphers is a quality issue, which is orthogonal to the technical specifications. If we want to create an informative annex so that we can instruct people to look at the right organizations for security it is fine for me, although I think it may not be very useful.

ocampana-videotec avatar Oct 23 '24 19:10 ocampana-videotec

Thanks all for update to the PR I will update accordingly.

kieran242 avatar Nov 13 '24 19:11 kieran242