Merge pull request #1465 from ietf-tapswg/tfpauly-patch-46

ietf-tapswg · Jan 30, 2024 · e6222cd · e6222cd
2 parents 186a63f + 196b61c
commit e6222cd
Showing 1 changed file with 20 additions and 1 deletion.
diff --git a/draft-ietf-taps-interface.md b/draft-ietf-taps-interface.md
@@ -1595,7 +1595,9 @@ configuration and actively during a handshake.
 The set of security parameters defined here is not exhaustive, but illustrative.
 Implementations SHOULD expose an equivalent to the parameters listed below to allow for
 sufficient configuration of security parameters, but the details are expected
-to vary based on platform and implementation constraints.
+to vary based on platform and implementation constraints. Applications MUST be able
+to constrain the security protocols and versions that the Transport Services System
+will use.
 
 Representation of security parameters in implementations ought to parallel
 that chosen for Transport Property names as suggested in {{scope-of-interface-defn}}.
@@ -1615,6 +1617,23 @@ SecurityParameters := NewDisabledSecurityParameters()
 SecurityParameters := NewOpportunisticSecurityParameters()
 ~~~
 
+### Allowed security protocols
+
+Name:
+: allowedSecurityProtocols
+
+Type:
+: Implementation-specific enumeration of security protocol names and/or versions.
+
+Default:
+: Implementation-specific best available security protocols
+
+This property allows applications to restrict which security protocols and security protocol versions can be used in the protocol stack. Applications MUST be able to constrain the security protocols used by this or an equivalent mechanism, in order to prevent the use of security protocols with unknown or weak security properties.
+
+~~~
+SecurityParameters.Set(allowedSecurityProtocols, [ tls_1_2, tls_1_3 ])
+~~~
+
 ### Certificate bundles
 
 Names: