T4
Scoring Strategy
As with ITEF and NIST standards, TrustFour follows the convention in other normative documents for the verbs “shall”, “shall not”, “should”, “should not” and “may” which are a subset of the IETF Request for Comments (RFC) 2119 key words (RFC 2119).
Server & Domain Rating
| Rating | score | Red Amber Green (RAG) Status |
| A + | 99 – 100 | Green |
| A | 95 – 98 | Green |
| A- | 90 – 94 | Green |
| B | 80 – 89 | Amber |
| C | 70 – 79 | Amber |
| D | 60 – 69 | Amber |
| E | 50 – 59 | Amber |
| F | 0 – 49 | Red |
If critical vulnerabilities are detected, the score is downgraded to F.
Interpretation of the verbs is as below
| verb | Implies | score |
| shall | must do | compliance → 1
non compliance → 0 |
| shall not | must not do | compliance → 1
non compliance → 0 |
| should | recommended | compliance → 1
non compliance → 0 |
| should not | not recommended | compliance → 1
non compliance → 0 |
| may | optional | compliance → no scoring
non compliance → 0 If implemented and non-compliant, scored as a 0. If not implemented, not included in the overall score. |
There are two categories: Server Certificate and TLS Handshake. The Server Certificate is common for all TLS Versions while TLS Handshake parameters will differ from one TLS Version to another.
Server Certificate Compliance
| Server Certificate Param | Mandatory | Verb | |
| 1 | Public Cert Auth Info | yes | Should |
| 2 | Public Cert Auth Key Identifier | yes | Should |
| 3 | Public Cert Expiry Date | yes | Should |
| 4 | Public Cert Extended Key Usage | yes | Should |
| 5 | Public Cert Issuer DN | yes | Should |
| 6 | Public Cert Issuer Signature Algorithm | yes | Shall |
| 7 | Public Cert Key Length | yes | Shall |
| 8 | Public Cert Key Usage | yes | Should |
| 9 | Public Cert SAN Entries | yes | Should |
| 10 | Public Cert Signature Algorithm | yes | Should |
| 11 | Public Cert Sub Key Identifier | yes | Should |
| 12 | Public Cert Subject DN | yes | Should |
| 13 | Public Cert Subject DN CN | yes | Shall |
| 14 | Public Cert Type | yes | Shall |
| 15 | Public Cert Version (X509 Version) | yes | Shall |
| 16 | ECDSA Public Key Curve | yes ( only for ECDSA cert type ) | Should |
TLS 1.3 Handshake Compliance
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Supported Cipher Suites | yes | Shall |
| 2 | Server Name Indication Extension Support | yes | Shall |
| 3 | Signature Algorithms Extension Support | yes | Shall |
| 4 | Certificate Status Request Extension Support | yes | Shall |
| 5 | Supported Groups Extension Support | yes | Shall |
| 6 | Key Share Extension Support | yes | Shall |
| 7 | Supported Versions Extension Support | yes | Shall |
| 8 | Signed Certificate Timestamps Extension Support | yes | Should |
| 9 | Early Data Indication Extension Support | yes | Should Not |
| 10 | Cookie Extension Support | no | May (Scored if implemented) |
TLS 1.2
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Renegotiation Indication Extension Support | yes | Shall |
| 2 | Supported Cipher Suites | yes | Shall |
| 3 | Server Name Indication Extension Support | yes | Shall |
| 4 | Extended Master Secret Extension Support | yes | Shall |
| 5 | Signature Algorithms Extension Support | yes | Shall |
| 6 | Certificate Status Request Extension Support | yes | Shall |
| 7 | Fallback Signaling Cipher Suite Value Support | yes | Shall |
| 8 | Supported Groups Extension Support | yes | Shall |
| 9 | Supported Point Formats Extension Support | yes | Shall |
| 10 | Encrypt-then-MAC Extension Support | yes | Shall |
| 11 | Signed Certificate Timestamps Extension Support | yes | Should |
TLS 1.1 & TLS 1.0
| TLS Handshake Param | Mandatory | Verb | |
| 1 | Renegotiation Indication Extension Support | yes | Shall |
| 2 | Server Name Indication Extension Support | yes | Shall |
| 3 | Extended Master Secret Extension Support | yes | Shall |
| 4 | Certificate Status Request Extension Support | yes | Shall |
| 5 | Fallback Signaling Cipher Suite Value Support | yes | Shall |
| 6 | Supported Groups Extension Support | yes | Shall |
| 7 | Supported Point Formats Extension Support | yes | Shall |
| 8 | Encrypt-then-MAC Extension Support | yes | Shall |
| 9 | Signed Certificate Timestamps Extension Support | yes | Should |
| 10 | Supported Cipher Suites | yes | Shall |
T4
Calculation of Key Strength
| Key exchange aspect | Score |
| Weak key (Debian OpenSSL flaw) | 0% |
| Anonymous key exchange (no authentication) | 0% |
| Key or DH parameter strength < 512 bits | 20% |
| Exportable key exchange (limited to 512 bits) | 40% |
| Key or DH parameter strength < 1024 bits (e.g., 512) | 40% |
| Key or DH parameter strength < 2048 bits (e.g., 1024) | 80% |
| Key or DH parameter strength < 4096 bits (e.g., 2048) | 90% |
| Key or DH parameter strength >= 4096 bits (e.g., 4096) | 100% |
Calculation of Cipher Strength
| Cipher strength | Score |
| 0 bits (no encryption) | 0% |
| < 128 bits (e.g., 40, 56) | 20% |
| < 256 bits (e.g., 128, 168) | 80% |
| >= 256 bits (e.g., 256) | 100% |
Scoring Notes
- If Server supports TLS 1.1 – reduce 1 point in TLS Handshake score of the server
- If Server supports TLS 1.0 – reduce 1 point in TLS Handshake score of the server
- If cipher suite of type TLS_AKE_WITH* is encountered (e.g. TLS_AKE_WITH_AES_128_GCM_SHA256) analyze as if TLS_AES_128_GCM_SHA256. Some implementations define these cipher suites with a non-standard naming convention.
T4
Scoring Example
This example is a domain that has only one server supporting TLS 1.3 and TLS 1.2. The score is calculated for each TLS version and then averaged for an overall score.
TLS 1.3
| Category | Score | Total Score | Score % |
| TLS Handshake | 7 | 9 | 77.78 % |
| Certificate | 13 | 15 | 86.67 % |
| Cipher Strength | 90% | ||
| Key Strength | 90% |
TLS 1.3 Score : Avg of all 4 scores = (77.78 + 86.67+ 90 + 90)/4 = 86.11 %
TLS 1.2
|
Category |
Score |
Total Score |
Score % |
|
TLS Handshake |
9 |
11 |
81.81 % |
|
Certificate |
13 |
15 |
86.67 % |
|
Cipher Strength |
90 % |
||
|
Key Strength |
90 %
|
TLS 1.2 Score : Avg of all 4 scores = (81.81+ 86.67 + 90 + 90)/4 = 87.12 %
For the overall domain score, we combine scores of all versions of TLS found. In this case only TLS 1.3 and TLS 1.2 were found.
Overall Domain Score
| Category | Score |
| TLS Handshake | 16/21 (76.19 %) |
| Certificate | 26/30 ( 86.67 %) |
| Cipher Strength | 90% |
| Key Strength | 90% |
Overall score = Average of the 4 sub-scores = ( 76.19 + 86.67 + 90 + 90 )/4 = 85.71 %, Rating B
Our Products
