Updated OFTP2 Guidelines now available

The Odette OFTP2 Experts Group regularly reviews the OFTP2 protocol in order to ensure that it always meets current business and security requirements. The Group has recently recommended several updates to the OFTP2 Implementation Guidelines to ensure that the extensive OFTP2 community remains secure.

  • Move to SHA-256 algorithm: Several announcements have been made recently by the IT industry regarding certificates which are signed using the SHA-1 signature algorithm which is considered capable of being broken at some time in the near future. The Odette Certificate Authority (CA) has  therefore decided to switch to signing its certificates using signature algorithm SHA-256 (commonly known as SHA-2).  All Odette recommended OFTP2 softwares, from providers who have taken an active part in the development of the revised guidelines, are currently being tested to ensure that they can handle SHA-256 signed certificates before the switch is made by the Odette CA.
  • PFS - Perfect Forward Secrecy: the current system using asymmetric keys to secure transmission sessions is considered vulnerable to security breaches: if a hacker records the encrypted data exchange and obtains the private key, they may decrypt the whole content of data exchanged. A different system - Perfect Forward Secrecy - prevents this possibility. The community has therefore agreed to make PFS, used in connection with a Diffie Hellmann Ephemeral (DHE) algorithm, the default method of setting up a secure channel (Transport Layer Security – TLS) and a cipher using this method should be offered as the first option to establish sessions security.

Those changes are fully explained in the OFTP2 Implementation Guidelines V2.3 which can be downloaded free of charge here.