Security
For the communication, mTLS is used. For incoming TLS connections the following TLS versions and cipher suites are accepted:
| TLS version | Cipher Suite |
|---|---|
| 1.3 | TLS_AES_256_GCM_SHA384 |
Authentication
The issuer is authenticated by their client certificate and only has access to their data.
Separate certificates are required for the test and production environments.
Client certificates used by the API consumer
The issuer must obtain the certificates themselves and then forward the entire certificate chain to SIX Client Delivery. The issuer ensures that the certificates are renewed in time and that SIX Client Delivery is informed about the date of a certificate replacement one month in advance.
To guarantee a high level of security, the certificates must meet at least the following requirements:
- Validity of the user certificates: not expired, still valid for nine months for new registrations
- Validity of the root certificates: not expired, still valid for five years with new registration
- Standard: X.509 V3
- Signature algorithm: RSA-SHA-256 or better, ECDSA-SHA256 or better
- Key length: min. 2048 Bit
- Key Usage: Client Authentication