Baseline TLS Configuration

Servers and clients participating in a Trust Framework must meet minimum standards in their TLS configuration. Other specifications may add further restrictions, but they must not introduce configurations that weaken security.

Machine-to-Machine

All machine-to-machine connections must use TLS 1.3 or later.

Client and server certificates must use ECDSA keys with the secp256r1 (P-256) or secp384r1 (P-384) curves. No wildcard names are permitted in the Subject or Subject Alternative Name extension.

The validity of certificates must be verified using the algorithms specified in the relevant RFCs and any other applicable Trust Framework specifications.

DNS for any hostnames used in machine-to-machine connections should use DNSSEC to provide additional integrity and authenticity guarantees.

Directory and Registry

The Directory and Registry must use TLS 1.3 and present a server certificate issued by a public Certificate Authority using an ECDSA key with the secp384r1 (P-384) curve. Wildcard names are not permitted.

The Directory and Registry must not require a client certificate.

DNS for any hostnames used by the Directory and Registry must use DNSSEC.

End-user services

End-user services, such as the user interface for OAuth Issuers, must use a TLS configuration compliant with the Member's written security policy.