ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

3.6.1 and 3.6.2 seem complex without clear explanation

Open jmanico opened this issue 3 years ago • 3 comments

jmanico avatar Feb 02 '22 10:02 jmanico

3.6.1 Verify that Relying Parties (RPs) specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the user if they haven't used a session within that period. 3.6.2 Verify that Credential Service Providers (CSPs) inform Relying Parties (RPs) of the last authentication event, to allow RPs to determine if they need to re-authenticate the user.

These seem implementation details on how to implement session timeout (required in 3.3.2), when having authentication separate from the application. I think requiring session timeouts is sufficient, and specifying how that should be implemented between RPs and CSPs is not up to the ASVS.

Sjord avatar Aug 13 '22 20:08 Sjord

To be honest, having read the relevant section of NIST and also read the requirements, I think these are ok. The point the NIST standard makes is that the CSP and RP will have different session mechanisms so a simple session timeout is not quite the right answer here.

Bottom line, I think these requirements are ok as they are at this point...

tghosth avatar Sep 14 '22 18:09 tghosth

I would prefer a requirement that says something like "session validity should be synchronized between servers", without getting into how this is implemented.

Sjord avatar Sep 15 '22 07:09 Sjord

I would prefer a requirement that says something like "session validity should be synchronized between servers", without getting into how this is implemented.

That feels like it might end up a little oversimplified whilst not being specific enough to understand how to implement. Do you have a suggested wording @Sjord ?

tghosth avatar Oct 20 '22 17:10 tghosth

@Sjord any suggestion on this?

@set-reminder 3 weeks make a decision how to proceed if no response

tghosth avatar Dec 07 '22 17:12 tghosth

Reminder Wednesday, December 28, 2022 12:00 AM (GMT+01:00)

make a decision how to proceed if no response

octo-reminder[bot] avatar Dec 07 '22 17:12 octo-reminder[bot]

No, not other than what I said above. I think the requirements should specify application behaviour and not implementation.

Sjord avatar Dec 08 '22 08:12 Sjord

I just spent even more time trying to re-word these requirements and it is not easy. NIST is referring to a very specific case here and there seem to be some subtleties but it seems to be something like the following:

image

I am not inclined to spend too much more time on this as these are level 3 requirements anyway. If you can think of a specific simplification suggestion then I am open to it but otherwise I think we need to move on :)

tghosth avatar Dec 13 '22 14:12 tghosth

🔔 @tghosth

make a decision how to proceed if no response

octo-reminder[bot] avatar Dec 27 '22 23:12 octo-reminder[bot]

So with no further improvement suggestions, I am going to close this for now. At least if someone searches the issues for these requirements they will hopefully find this thread :)

tghosth avatar Jan 01 '23 20:01 tghosth