Recheck NIST originated requirements after SP 800-63B revision 4 release

[elarlang]

Spin-off from https://github.com/OWASP/ASVS/issues/1540#issuecomment-1435375069

@jimfenton :

Hint, hint: The draft SP 800-63 revision 4 (including SP 800-63B-4) is currently out for public comment; NIST would welcome public comments through March 24, 2023. https://pages.nist.gov/800-63-4/

Pleaceholder - ASVS session and password (and other NIST originated) requirements recheck after SP 800-63B revision 4 is released.

Meanwhile, provide feedback directly to NIST.

[elarlang]

@jimfenton - is there any issue-board like here for ASVS where I could open issues or where I can see reasons for changes or ask questions?

[jimfenton]

The best approach is to send questions and comments to dig-comments@nist.gov. That's also the address for comments on the SP 800-63 revision 4 draft. There is also a FAQ page at https://pages.nist.gov/800-63-FAQ/ and implementation resources at https://pages.nist.gov/800-63-3-Implementation-Resources/ and the intent is to start a new FAQ and implementation resources when Rev 4 is issued.

[tghosth]

@jimfenton is there an expected date for the final version of Revision 4 to be released?

[jimfenton]

The best source of schedule information is https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines

[tghosth]

Hopefully as part of rework stage

[ryarmst]

Revision 4 is not yet finalized (they are not in line with the projected timelines), but based on the current version (2nd public draft), the following changes impact V3 timeouts:

• 3.3.2 would be updated to 24 hours for L2 (AAL2)
• 3.3.5 would be updated to 1 hour for L2 (AAL3)

The draft also more clearly make the distinction between an overall timeout and inactivity timeout. It may be worth updating terminology to correspond. In addition, they added wording that appears intended to account for the wide variability of expiration limits in practice and possible use of additional mitigation controls (related to previous discussion #1329), from 5.2 Reauthenticaton:

The overall and inactivity timeout expiration limits depend on several factors, including the AAL of the session, the environment in which the session is conducted (e.g., whether the subscriber is in a restricted area), the type of endpoint being used (e.g., mobile application or web-based), whether the endpoint is a managed device Managed devices include personal computers, laptops, mobile devices, virtual machines, or infrastructure components that are equipped with a management agent that allows information technology staff to discover, maintain, and control them, and the nature of the application itself. Agencies SHALL establish and document the inactivity and overall time limits being enforced in a system security plan such as that described in [SP800-39].

I see there is currently a placeholder for V1.3 Session Management Architecture. I have not followed the V1 discussions closely, but my understanding is that documentation requirements are moving to relevant chapters. @tghosth can you confirm? If so, I think this would be a good place to start for V3 (even though the NIST revision is a draft).

In terms of session timeouts, if we await the finished revision, it may not meet timelines for ASVS 5.0.

[elarlang]

I did not understand the connection between updates and documentation requirements, but at the moment we keep related documentation requirements in V1.

From proposing a requirement point of view it does not matter - make a proposal and we'll find a suitable place :)

[ryarmst]

For V1, I opened #2076.

For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?

[tghosth]

For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?

I don't want to delay ASVS 5.0. If we can update based on the draft and hope for the best, that would probably be ideal

[ryarmst]

Starting with a recommendation for 3.3.2 in #2113.

[tghosth]

I am going to leave this open for later in the V2 rework process