Checking again, I think I misread our current requirements, which seem to be mostly in line with what I’m asking. I actually think the only changes (in addition to the change you mentioned) I’d want to see are:
- No TLS errors/vulnerabilities when being profiled by tools such as Hardenize, testssl.sh or Qualys SSL Labs, this includes certificate related errors, poor or weak ciphers suites, weak DH parameters such as those that led to Logjam.
Changed to something along the lines of:
- No TLS errors or vulnerabilities when being profiled by tools such as Hardenize, testssl.sh or Qualys SSL Labs, this includes certificate related errors and weak DH parameters such as those that led to Logjam.
- A server suite preference (optional on TLSv1.3) for strong cipher suites which support forward secrecy and authenticated encryption.
Because I think “poor or weak cipher suites” is unclear, and Tutanota (probably others) do support weak cipher suites at a lower preference. I also believe server suite preferences are not required for TLSv1.3 to accommodate low-power clients which may only support certain encryption schemes in hardware (since all TLSv1.3 ciphers are considered secure at the moment).