<div>
on pg 16,<br />
&quot;The RCA/OCA/RA applications must destroy private keys in memory by<br />
overwriting them with zeros when the software shuts down.&quot;<br />
Should the apps overwrite say 3 or 5 times or just once? &nbsp;I suppose if the<br />
software is not shut down, it's locking the private keys in memory, so<br />
it's secure due to locking ?
</div>


on pg 16,
"The RCA/OCA/RA applications must destroy private keys in memory by
overwriting them with zeros when the software shuts down."
Should the apps overwrite say 3 or 5 times or just once?  I suppose if the
software is not shut down, it's locking the private keys in memory, so
it's secure due to locking ?

<div>
<div class="content wysiwyg-content">
I'm reviewing the attached SSL Server Cert Policy for apps API from<br />
a vendor.<br />
<br />
Q1:<br />
Shouldn't there be a mention of TLSv1.0, 1.1, 1.2 (or is 1.3 out?) <br />
somewhere?<br />
<br />
Q2:<br />
Shouldn't there be mention of the number of bits, whether it's<br />
SHA1/2 &nbsp;?<br />
<br />
Q3:<br />
if our organization name is changing, should this be catered <br />
somewhere or we have to revoke &amp;&nbsp;then change to the new<br />
Organization name? &nbsp;Any downtime for this change?<br />
<a href="https://filedb.experts-exchange.com/incoming/2017/02_w07/1144225/SSL-Server_CP_v1.2.docx" target="_blank" class="file-inline" title="SSL Svr Cert Policy (157 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>SSL-Server_CP_v1.2.docx</a>
</div>
</div>


SSL-Server_CP_v1.2.docx

I'm reviewing the attached SSL Server Cert Policy for apps API from
a vendor.

Q1:
Shouldn't there be a mention of TLSv1.0, 1.1, 1.2 (or is 1.3 out?) 
somewhere?

Q2:
Shouldn't there be mention of the number of bits, whether it's
SHA1/2  ?

Q3:
if our organization name is changing, should this be catered 
somewhere or we have to revoke & then change to the new
Organization name?  Any downtime for this change?

Review of apps API SSL Cert policy

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

SSL / HTTPS

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

Security

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In an encryption scheme, the intended communication information or message, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted. For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. An authorized recipient can easily decrypt the message with the key provided by the originator to recipients, but not to unauthorized interceptors.