ruben/ai-agent
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ai-agent/symphony-ai-agent/specs/security.md

1 KiB
Raw Blame History

Security Specifications (SYM-SEC)

SYM-SEC-004: Transport Layer Security

Effective: 2025-05-02
Last Revised: 2025-05-02
Status: Active

1. Cryptographic Protocols

  • TLS 1.3 REQUIRED for all external communications
  • Forward secrecy REQUIRED (ECDHE with X25519 preferred)
  • AES-256-GCM REQUIRED for symmetric encryption

2. Certificate Requirements

  • All certificates MUST use SHA-256 with RSA (3072+ bits) or ECDSA (P-384)
  • Certificate transparency logging REQUIRED
  • Maximum certificate validity: 398 days

3. Cipher Suite Priorities

  1. TLS_AES_256_GCM_SHA384
  2. TLS_CHACHA20_POLY1305_SHA256
  3. TLS_AES_128_GCM_SHA256

4. RBAC Integration Requirements

  • TLS client certificate authentication MUST be integrated with RBAC roles
  • Certificate OU field MUST map to RBAC roles via signed claims
  • Certificate revocation checks REQUIRED before RBAC validation

5. Audit Requirements

  • Full TLS handshake parameters logged for security audits
  • Session keys escrowed via KMS for incident investigation