V1.6 cleanup from non-documentation requirements

[elarlang]

V1 requirements got cleaned up from non-documentation requirements, except V1.6 https://github.com/OWASP/ASVS/issues/2137

V1.6 has now moved to V6, but 2 requirements do not seem to be security decision documentation requirements:

• V1.6.2 Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.
• V1.6.4 Verify that the architecture treats client-side secrets (such as symmetric keys, passwords, or API tokens) as insecure and never uses them to protect or access sensitive data.

[danielcuthbert]

I wonder if 1.6.2 is of any use anymore? I mean given what we have in V6 now, does it offer much? I guess same goes for 1.6.4 in a way too

[elarlang]

Let's start from the first one.

V1.6.2:

V1.6.2 Verify that consumers of cryptographic services protect key material and other secrets by using key vaults or API based alternatives.

is it duplicate of 6.4.1 and 6.4.2?

V6.4.1 Verify that a secrets management solution such as a key vault is used to securely create, store, control access to, and destroy back-end secrets, such as passwords, integrations with databases and third-party systems, seeds and internal secrets, and API keys. Secrets must not be included in source code or be received as CI/CD variables. For a L3 application, this should involved a hardware-backed solution such as an HSM.

V6.4.2 Verify that key material is not exposed to the application (neither the front-end nor the back-end) but instead uses an isolated security module like a vault for cryptographic operations.

If it is not a duplicate and has it own problem to solve, I propose to move it to V6.4