FHIR Chat · TLS 1.2 or higher · Security and Privacy

The Security WG is considering setting a minimum requirement of TLS 1.2 or higher. We understand that there might be legacy systems that do not yet support TLS 1.2, but need to understand how large the impact would be. Please let me know if you have systems that would not be able to support TLS 1.2 or higher?
Note that IETF Best Current Practice allows TLS 1.1 only where the two systems do not support TLS 1.2, and only allows TLS 1.0 when the two systems do not support TLS 1.1 or TLS 1.2. https://tools.ietf.org/html/bcp195
Note that PCI recommendations specify TLS 1.1 or higher, with a recommendation to use TLS 1.2 https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

Grahame Grieve (Jun 27 2018 at 04:04):

why would we make this a requirement?

Lloyd McKenzie (Jun 27 2018 at 05:30):

I'm assuming this would only apply to systems that support TLS at all...

John Moehrke (Jun 27 2018 at 12:59):

a CP has been entered by representatives of ONC ... Yes, it would be more of a forbidance against TLS less than 1.2.... so if you are not using TLS, you are not affected

Kevin Shekleton (Jun 27 2018 at 19:22):

What is a "CP"?

I think it is odd FHIR would have a requirement like this around a specific TLS version. If we're going to require a minimum TLS version, should we also start defining a whitelist or blacklist of cipher suites over these TLS connections? I ask this to try and find where the line is as to what FHIR prescribes from a security perspective given its current state today of being largely agnostic to all of this.