MSTG-NETWORK-3: Certificate checks sufficient?

Question

MSTG-NETWORK-3: Certificate checks sufficient?

daMatz opened this issue 4 years ago · 1 comments

The requirement for MSTG-NETWORK-3 is:

The app verifies the X.509 certificate of the remote endpoint when the secure channel is established. Only certificates signed by a trusted CA are accepted.

Is this sufficient as a requirement for this topic?
What about additional checks like:

certificate validation check
certificate revocation check
signature check
certificate chain check

Answer 1 · 2021-03-31T11:29:05.000Z

That's a valid point, and we should think about rephrasing this. I would love to say 'let the OS do it for you', but with all the third party frameworks that's probably not clear/secure enough.