Is 1.14.2 relevant to a web standard

[tghosth]

History

#	Description	L1	L2	L3	CWE
1.14.2	Verify that binary signatures, trusted connections, and verified endpoints are used to deploy binaries to remote devices.		✓	✓	494
1.14.3	Verify that if deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints.		✓	✓	494
1.14.2	Verify that deploying binaries to untrusted devices makes use of binary signatures, trusted connections, and verified endpoints.		✓	✓	494
1.19.2	Verify that if binaries are delivered to untrusted devices, ensure that an secure automatic updating mechanism is present in the architecture which ensures that only signed binaries are downloaded from trusted sites over a secure connection.		✓	✓	tbd
1.10	Verify that if binaries are delivered to untrusted devices, ensure that an secure automatic updating mechanism is present in the architecture that ensures only signed binaries are downloaded from trusted sites over a secure connection.		✓	✓	tbd

Looks like 1.10 was added here as part of a larger re-write: https://github.com/OWASP/ASVS/commit/2e5616340ef2c9eb8c8895721f944398850508b9

Background to non-web requirements

In previous discussion of what is in scope for ASVS in #803:

I still think we need to drop desktop requirement and move those to MASVS where they are more appropriate.

@jmanico wrote here.

I agree with this stance. If we are talking about Electron-based apps (JavaScript) then we could support it but then it becomes a slippery slope. I can't see this working out the way many would like it to

@danielcuthbert wrote just below that.

Proposal

This requirement has been through a journey but it feels like it is not very relevant to web apps. It sounds very connected to desktop apps and therefore not in scope.

I propose deleting the requirement.

[elarlang]

For me it seems out of scope also from "application" vs "deploy process" perspective.