elarlang
commented
1 year ago @jimfenton - is there any issue-board like here for ASVS where I could open issues or where I can see reasons for changes or ask questions?
Open elarlang opened 1 year ago
elarlang
commented
1 year ago @jimfenton - is there any issue-board like here for ASVS where I could open issues or where I can see reasons for changes or ask questions?
jimfenton
commented
1 year ago The best approach is to send questions and comments to dig-comments@nist.gov. That's also the address for comments on the SP 800-63 revision 4 draft. There is also a FAQ page at https://pages.nist.gov/800-63-FAQ/ and implementation resources at https://pages.nist.gov/800-63-3-Implementation-Resources/ and the intent is to start a new FAQ and implementation resources when Rev 4 is issued.
tghosth
commented
1 year ago @jimfenton is there an expected date for the final version of Revision 4 to be released?
jimfenton
commented
1 year ago The best source of schedule information is https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines
tghosth
commented
12 months ago Hopefully as part of rework stage
ryarmst
commented
6 days ago Revision 4 is not yet finalized (they are not in line with the projected timelines), but based on the current version (2nd public draft), the following changes impact V3 timeouts:
The draft also more clearly make the distinction between an overall timeout and inactivity timeout. It may be worth updating terminology to correspond. In addition, they added wording that appears intended to account for the wide variability of expiration limits in practice and possible use of additional mitigation controls (related to previous discussion #1329), from 5.2 Reauthenticaton:
The overall and inactivity timeout expiration limits depend on several factors, including the AAL of the session, the environment in which the session is conducted (e.g., whether the subscriber is in a restricted area), the type of endpoint being used (e.g., mobile application or web-based), whether the endpoint is a managed device Managed devices include personal computers, laptops, mobile devices, virtual machines, or infrastructure components that are equipped with a management agent that allows information technology staff to discover, maintain, and control them, and the nature of the application itself. Agencies SHALL establish and document the inactivity and overall time limits being enforced in a system security plan such as that described in [SP800-39].
I see there is currently a placeholder for V1.3 Session Management Architecture. I have not followed the V1 discussions closely, but my understanding is that documentation requirements are moving to relevant chapters. @tghosth can you confirm? If so, I think this would be a good place to start for V3 (even though the NIST revision is a draft).
In terms of session timeouts, if we await the finished revision, it may not meet timelines for ASVS 5.0.
elarlang
commented
6 days ago I did not understand the connection between updates and documentation requirements, but at the moment we keep related documentation requirements in V1.
From proposing a requirement point of view it does not matter - make a proposal and we'll find a suitable place :)
ryarmst
commented
6 days ago For V1, I opened #2076.
For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?
tghosth
commented
4 days ago For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?
I don't want to delay ASVS 5.0. If we can update based on the draft and hope for the best, that would probably be ideal
Spin-off from https://github.com/OWASP/ASVS/issues/1540#issuecomment-1435375069
@jimfenton :
Pleaceholder - ASVS session and password (and other NIST originated) requirements recheck after SP 800-63B revision 4 is released.
Meanwhile, provide feedback directly to NIST.