Recheck NIST originated requirements after SP 800-63B revision 4 release #1557
Comments
|
@jimfenton - is there any issue-board like here for ASVS where I could open issues or where I can see reasons for changes or ask questions? |
|
The best approach is to send questions and comments to [email protected]. That's also the address for comments on the SP 800-63 revision 4 draft. There is also a FAQ page at https://pages.nist.gov/800-63-FAQ/ and implementation resources at https://pages.nist.gov/800-63-3-Implementation-Resources/ and the intent is to start a new FAQ and implementation resources when Rev 4 is issued. |
|
@jimfenton is there an expected date for the final version of Revision 4 to be released? |
tghosth
added
1) Discussion ongoing
|
The best source of schedule information is https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines |
tghosth
added
4b Major-rework
|
Hopefully as part of rework stage |
|
Revision 4 is not yet finalized (they are not in line with the projected timelines), but based on the current version (2nd public draft), the following changes impact V3 timeouts: The draft also more clearly make the distinction between an overall timeout and inactivity timeout. It may be worth updating terminology to correspond. In addition, they added wording that appears intended to account for the wide variability of expiration limits in practice and possible use of additional mitigation controls (related to previous discussion #1329), from 5.2 Reauthenticaton:
I see there is currently a placeholder for V1.3 Session Management Architecture. I have not followed the V1 discussions closely, but my understanding is that documentation requirements are moving to relevant chapters. @tghosth can you confirm? If so, I think this would be a good place to start for V3 (even though the NIST revision is a draft). In terms of session timeouts, if we await the finished revision, it may not meet timelines for ASVS 5.0. |
|
I did not understand the connection between updates and documentation requirements, but at the moment we keep related documentation requirements in V1. From proposing a requirement point of view it does not matter - make a proposal and we'll find a suitable place :) |
|
For V1, I opened #2076. For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4? |
I don't want to delay ASVS 5.0. If we can update based on the draft and hope for the best, that would probably be ideal |
|
Starting with a recommendation for 3.3.2 in #2113. |
|
I am going to leave this open for later in the V2 rework process |
tghosth
added
_5.0 - Not blocker
Spin-off from #1540 (comment)
@jimfenton :
Pleaceholder - ASVS session and password (and other NIST originated) requirements recheck after SP 800-63B revision 4 is released.
Meanwhile, provide feedback directly to NIST.
The text was updated successfully, but these errors were encountered: