.Security & .Protection Security Requirements

Last updated: 27 January 2017

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Transport Layer Security

Transport Layer Security (TLS) should be implemented using trusted protocol versions. Web sites on .Security and .Protection should comply with RFC 7525 (Recommendations for Secure Use of Transport Layer Security [TLS] and Datagram Transport Layer Security [DTLS]). Transport Layer Security should be implemented securely to protect the integrity and confidentiality of data in-transit. Transport Layer Security 1.1 or greater should be used. SSL 2.0 and 3.0 are explicitly prohibited. RFC 5746 (Transport Layer Security (TLS) Renegotiation Indication Extension) should be implemented.

The following cipher suite components (authentication, encryption, message authentication code and key exchange algorithms) are excluded from use within the secure zone: Anon, DES, 3DES, FIPS, GOST 28147-89, IDEA, WITH_SEED, MD5, NULL, EXPORT, EXPORT1024 and SRP.

Web sites on .Security and .Protection domains should be offered using HTTPS deployed in accordance with the above requirements. HTTP Strict Transport Security (as described in RFC 6797) should be enabled on all web servers. Plaintext HTTP services should perform a 301 redirect to the corresponding HTTPS URI.

Certificate Authorities

All certificates issued for use under .Security and .Protection should be issued by a Certificate Authority compliant with the CA/Browser Forum Baseline Requirements (version 1.3.0 or later). Self-signed certificates should not be used, unless in combination with a DNSSEC-signed TLSA record (see below).

Certificate Validation Model

TLS-secured websites that receive and process Personally-Identifiable Information (PII) or confidential financial information such as credit and debit card details, bank account information, social security numbers and other data, should use an Extended Validation (EV) certificate. Other websites MAY use a Domain-Validated (DV) certificate.

Enforcement

The registry will periodically scan the .Security and .Protection namespace to encourage all registrants to comply with the above requirements. If a registrant fails to comply with the requirements described above, the registry may notify the registrar and the registrar should notify the registrant. The registrant is strongly encouraged to update their web site to maximize the trust and security ensured by their .Security and .Protection domain. If the registry determines that there is a high likelihood of harm resulting from the security deficiency, it reserves the right to suspend the registration immediately.