Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Misleading description in A02:2021, should be moved to A07:2021 #724

Open
kwwall opened this issue Jul 8, 2022 · 0 comments
Open

Misleading description in A02:2021, should be moved to A07:2021 #724

kwwall opened this issue Jul 8, 2022 · 0 comments
Labels
Discussion

Comments

@kwwall
Copy link

kwwall commented Jul 8, 2022

In A02:2021 - Cryptographic Failures, under the Description section, it states:

  • Is the received server certificate and the trust chain properly validated?

I believe that this statement is in the wrong OT10 item should be (re)moved.

If you look at the corresponding CWE, this is primarily a case of CWE-296: Improper Following of a Certificate's Chain of Trust. It has little, if anything, to do with a cryptographic failure, but rather it is an authentication failure as CWE-296 makes obvious if you follow the CWE chain to its parent CWE-295.

I believe (and I think MITRE would agree) that this bullet item that I referenced is an authentication failure. specifically, it is a failure of properly authenticating the host you are intending to connect to over a TLS connection. Indeed, I believe a better fit for this statement would be to move it A07:2021.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwwall @sslHello