0

Security guides (PCI-DSS, NIST, www.ncsc.gov.uk, french ANSSI ..) state that TLSv1.2 only should be allowed, and that TLSv1.0 TLSv1.1 should be desactivated.

There is no security guide that give any explicit recommandation for TLSv1.3.

My understanding is that TLSv1.3 should therefore not be activated for production system until it is explicitely recommanded by the security guide that rules the business activty area.

Is this correct ?

OlivierThompson
  • 11
  • 3

1 Answers1

0

I would suggest you to use TLS v1.2 for now. There are two reasons for this:

  • TLS v1.3 is release as a "standard" but implementation in modern systems and application is in progress now.
  • Last version of PCI-DSS is August 2018 and you need to wait for update that going to be on beginning of 2020 that brings a lot of changes in this documentation.
WhoKnows
  • 340
  • 1
  • 12