3.6.1 and 3.6.2 seem complex without clear explanation

[Sjord]

3.6.1 Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the user if they haven't used a session within that period. 3.6.2 Verify that Credential Service Providers (CSPs) inform Relying Parties (RPs) of the last authentication event, to allow RPs to determine if they need to re-authenticate the user.

These seem implementation details on how to implement session timeout (required in 3.3.2), when having authentication separate from the application. I think requiring session timeouts is sufficient, and specifying how that should be implemented between RPs and CSPs is not up to the ASVS.

[tghosth]

To be honest, having read the relevant section of NIST and also read the requirements, I think these are ok. The point the NIST standard makes is that the CSP and RP will have different session mechanisms so a simple session timeout is not quite the right answer here.

Bottom line, I think these requirements are ok as they are at this point...

[Sjord]

I would prefer a requirement that says something like "session validity should be synchronized between servers", without getting into how this is implemented.

[tghosth]

I would prefer a requirement that says something like "session validity should be synchronized between servers", without getting into how this is implemented.

That feels like it might end up a little oversimplified whilst not being specific enough to understand how to implement. Do you have a suggested wording @Sjord ?

[tghosth]

@Sjord any suggestion on this?

@set-reminder 3 weeks make a decision how to proceed if no response

[octo-reminder[bot]]

⏰ Reminder Wednesday, December 28, 2022 12:00 AM (GMT+01:00)

make a decision how to proceed if no response

[Sjord]

No, not other than what I said above. I think the requirements should specify application behaviour and not implementation.

[tghosth]

I just spent even more time trying to re-word these requirements and it is not easy. NIST is referring to a very specific case here and there seem to be some subtleties but it seems to be something like the following:

I am not inclined to spend too much more time on this as these are level 3 requirements anyway. If you can think of a specific simplification suggestion then I am open to it but otherwise I think we need to move on :)

[octo-reminder[bot]]

🔔 @tghosth

make a decision how to proceed if no response

[tghosth]

So with no further improvement suggestions, I am going to close this for now. At least if someone searches the issues for these requirements they will hopefully find this thread :)

[ryarmst]

@tghosth it is now 2024 and we have indeed found this thread. For an updated reference, consider the second public draft of NIST 800-63C-4.

In conjunction with #2102, I would like to propose simplifying this into a single requirement. Consider the following:

Verify that session lifetime and termination between Relying Parties (RPs) and Credential Service Providers (CSPs) behave as documented, requiring re-authentication as necessary such as when the maximum time between CSP authentication events is reached.

[tghosth]

Looks good to me

[jmanico]

So lets go to PR.

1) Modify 3.6.1 to Ryan's new text 2) Delete 3.6.2 3) Add a new doc requirement.

Enough of this "process" crap let's go right to PR, Ryan!

[ryarmst]

@tghosth See #2320. I created #2321 for the inevitable section text update.