Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-34798

incompatible with 800-52

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive
    • Icon: Medium Medium
    • US PACIO Advance Directive Interoperability (FHIR)
    • 0.1.0
    • Patient Empowerment
    • STU
    • Security, Privacy, and Consent
    • Hide

      Change the requirement to:

      The exchange of information SHALL support Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246) or a more recent version of TLS for transport layer security.

      Show
      Change the requirement to: The exchange of information  SHALL support  Transport Layer Security (TLS) Protocol Version 1.2 (RFC5246)  or a more recent version of TLS for transport layer security.
    • Corey Spears/Virginia Lorenzi : 10-0-0
    • Clarification
    • Non-substantive

    Description

      The IG says this:

      1. The exchange of information SHOULD use the current version and SHALL use either current or the immediately prior release of Transport Level Security (TLS) as specified by the current release of NIST guidelines (SP 800-52).

      SHOULD use current (1.3), SHALL use either prior (1.2) or current (1.3) ... as specified by SP 800-52.

      But Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (nist.gov) says: SHALL support 1.2 and SHOULD support 1.3. 

      So, if an implementer followed your recommendation and only used the current version of TLS, they would be out of compliance with 800-52. Right?

      I'd encourage you to merely point to external guidance.

       

       

      Attachments

        Activity

          People

            michael_donnelly Michael Donnelly
            Isaac.Vetter Isaac Vetter
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: