Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Change history for the BSI minimum standard for the use of Transport Layer Security (TLS)

Key changes present in the updated minimum standard compared with the respective previous version are listed here. To keep the list relatively compact and enable comparisons to be made more easily, only major contextual changes are listed. Structural changes, changes to wording and minor updates (e.g. version changes for referenced documents) are therefore not described or are summarised only.

Version 2.4 from 25.05.2023

General

  • The preface was revised according to the currently valid version
  • Updating of references
  • Adaptation of the bibliography and list of abbreviations
  • Revision of the reference table and the auxiliary document

Security requirements

TLS.2.0.02 - Use of cryptographic methods

  • Adjustment of the reference to a specific version of the Technical Guideline TR-02102-2 to the 'current' version.
  • Footnote for comparison with Technical Guideline TR-02102-2 has been added.

TLS.2.0.03 - Deviations and risk management

  • Added footnotes to reference RFC 8996 (Internet Engineering Taskforce, 2021).

TLS.2.0.05 - Security requirements for federal projects

  • Adjusted reference to a specific version of Technical Guideline TR-03116-4 to the 'current' version.

Version 2.3 from 15.03.2022

General

  • The preface was revised with reference to the new IT-SiG 2.0

  • Breakdown of chapter 1. description into subchapters

    • 1.1 Introduction and delimitation
    • 1.2 Modal verbs
  • Updating of references
  • Adaptation of the bibliography and list of abbreviations
  • Revision of the reference table and the auxiliary document

Security requirements

  • Numbering of safety requirements has been adapted
    Safety requirements are numbered by an identification number and can thus be referenced. The designation of the individual safety requirements consists of the abbreviation of the respective minimum standard, the chapter number, the subchapter number, and the requirement number (see example illustration). This may be subdivided into sub-requirements by letters in certain optional cases.
    Since the MST-TLS does not have a subchapter structure, the security requirements are numbered according to the scheme TLS.2.0.01 \02 \03... numbered.

    Dieses Bild zeig generisch den Aufbau der Nummerierung der Anforderungen in den Mindeststandards Bund des BSI

  • TLS.2.0.0.5: 'Security requirements for federal projects'.

    • In deviation from TR-02102-2, requirement TLS.2.0.0.5 b) allowed the hash function SHA-224 to be used in the signature algorithms up to and including 2021, and also allowed the elliptic curve secp224r1 (IANA no. 22) to be used up to and including 2021. Since this period has expired, requirement 2.0.0.5 b) has been removed from the minimum standard.
    • Adjust Figure 1 (Minimum Standard for the Use of Transport Layer Security and Technical Guidelines) to reflect the updated security requirements.

Version 2.2 from 03.05.2021

General

  • Distinction between TLS versions and TLS procedures introduced by division of TLS.2.1.01
  • Introduction of the term 'non-conforming versions and procedures'.
  • Risk treatment listed as separate item TLS.2.1.03 (deviations and risk management)
  • Subdivision of risk treatment into individual requirements under TLS.2.1.03
  • Breakdown of security requirement for federal projects into single requirements.
  • Updating of references
  • Adaptation of the list of literature and abbreviations

Security requirements

TLS.2.1.01: 'Use of TLS' has been adjusted.

  • Restriction of requirements in this item to TLS versions.
  • TLS procedures and risk management are listed separately in TLS.2.1.02 and TLS.2.1.03.

TLS.2.1.02: 'Use of cryptographic procedures' was added

  • Requirement for TLS procedures has been removed from TLS.2.1.01 and listed separately in TLS.2.1.02.

TLS.2.1.03: 'Deviations and risk management'.

  • Deviations and risk management removed from TLS.2.1.01 and listed separately under TLS.2.1.03.
  • Breakdown of risk management into individual requirements.
  • Restriction of theming of deviation to older versions extended to include deviation to TLS versions and procedures not conforming to the minimum standard.

TLS.2.1.04: 'TLS for Web Servers'

  • Explanation of the term 'obsolete procedures' from IT-Grundschutz adapted (now versions and procedures)

TLS.2.1.05: 'Security requirements for federal projects'.

  • Breakdown into individual requirements
  • TR-03116-4 is a weakening to TR-02102-2 regarding the use of SHA-224 and elliptic curves, therefore no longer formulated as a MUST but as a CAN requirement.

Version 2.1 from 09 April 2020

General

  • Usage of defined modal verbs
  • Definition added about modal verbs used
  • Subdivision of security requirements
  • Updating of references
  • Amendments to bibliography and list of abbreviations

Security requirements

TLS.2.0.01: ‘Use of TLS’ was amended

  • Requirement to review activated versions and deactivate insecure versions was added.

TLS.2.0.02: ‘TLS for webservers’ was added

  • Provision of detail for basic requirement APP.3.2.A11 from the 2020 IT-Grundschutz Compendium.

Similar topics

Back to Transport Layer Security (TLS)