sunhux
asked on
Review of apps API SSL Cert policy
I'm reviewing the attached SSL Server Cert Policy for apps API from
a vendor.
Q1:
Shouldn't there be a mention of TLSv1.0, 1.1, 1.2 (or is 1.3 out?)
somewhere?
Q2:
Shouldn't there be mention of the number of bits, whether it's
SHA1/2 ?
Q3:
if our organization name is changing, should this be catered
somewhere or we have to revoke & then change to the new
Organization name? Any downtime for this change?
SSL-Server_CP_v1.2.docx
a vendor.
Q1:
Shouldn't there be a mention of TLSv1.0, 1.1, 1.2 (or is 1.3 out?)
somewhere?
Q2:
Shouldn't there be mention of the number of bits, whether it's
SHA1/2 ?
Q3:
if our organization name is changing, should this be catered
somewhere or we have to revoke & then change to the new
Organization name? Any downtime for this change?
SSL-Server_CP_v1.2.docx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"The RCA/OCA/RA applications must destroy private keys in memory by
overwriting them with zeros when the software shuts down."
Should the apps overwrite say 3 or 5 times or just once? I suppose if the
software is not shut down, it's locking the private keys in memory, so
it's secure due to locking ?