Would OWASP be interested in publishing a guide on how to do cross-organization mTLS?

[MarkSRobinson]

I've been working with cross-organization mTLS for quite a while and the standard guidance (just do whatever you want) is remarkably terrible.

Would OWASP be interested in publishing a guide on how to do it right that focuses on security, operations, and not emailing certificates around?

[kingthorin]

Sure. Not sure if it's best here or as part of the cheat sheet series. Lemme see if I can drum up some other input.

[bkimminich]

Agree that this sounds like a good Cheat Sheet! Maybe there's even one where this could fit in already?

[kwwall]

@MarkSRobinson - Would you mind bring this up as an issue for the OWASP Cheat Sheet Series at https://github.com/OWASP/CheatSheetSeries/issues ? I am both a contributor and reviewer of Cheat Sheets and I think this would be more appropriate there. Thanks.

[oej]

There is a discussion in the IETF UTA wg about writing specs for mTLS which is missing.

[MarkSRobinson]

@kwwall Good idea - OWASP/CheatSheetSeries#1492