ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard
verified publisher icon OWASP

Recheck NIST originated requirements after SP 800-63B revision 4 release

Open elarlang opened this issue 2 years ago • 14 comments

Spin-off from https://github.com/OWASP/ASVS/issues/1540#issuecomment-1435375069

@jimfenton :

Hint, hint: The draft SP 800-63 revision 4 (including SP 800-63B-4) is currently out for public comment; NIST would welcome public comments through March 24, 2023. https://pages.nist.gov/800-63-4/

Pleaceholder - ASVS session and password (and other NIST originated) requirements recheck after SP 800-63B revision 4 is released.

Meanwhile, provide feedback directly to NIST.

elarlang avatar Feb 18 '23 13:02 elarlang

@jimfenton - is there any issue-board like here for ASVS where I could open issues or where I can see reasons for changes or ask questions?

elarlang avatar Feb 18 '23 14:02 elarlang

The best approach is to send questions and comments to [email protected]. That's also the address for comments on the SP 800-63 revision 4 draft. There is also a FAQ page at https://pages.nist.gov/800-63-FAQ/ and implementation resources at https://pages.nist.gov/800-63-3-Implementation-Resources/ and the intent is to start a new FAQ and implementation resources when Rev 4 is issued.

jimfenton avatar Feb 18 '23 20:02 jimfenton

@jimfenton is there an expected date for the final version of Revision 4 to be released?

tghosth avatar Mar 15 '23 11:03 tghosth

The best source of schedule information is https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines

jimfenton avatar Mar 15 '23 18:03 jimfenton

Hopefully as part of rework stage

tghosth avatar Sep 21 '23 14:09 tghosth

Revision 4 is not yet finalized (they are not in line with the projected timelines), but based on the current version (2nd public draft), the following changes impact V3 timeouts:

  • 3.3.2 would be updated to 24 hours for L2 (AAL2)
  • 3.3.5 would be updated to 1 hour for L2 (AAL3)

The draft also more clearly make the distinction between an overall timeout and inactivity timeout. It may be worth updating terminology to correspond. In addition, they added wording that appears intended to account for the wide variability of expiration limits in practice and possible use of additional mitigation controls (related to previous discussion #1329), from 5.2 Reauthenticaton:

The overall and inactivity timeout expiration limits depend on several factors, including the AAL of the session, the environment in which the session is conducted (e.g., whether the subscriber is in a restricted area), the type of endpoint being used (e.g., mobile application or web-based), whether the endpoint is a managed device Managed devices include personal computers, laptops, mobile devices, virtual machines, or infrastructure components that are equipped with a management agent that allows information technology staff to discover, maintain, and control them, and the nature of the application itself. Agencies SHALL establish and document the inactivity and overall time limits being enforced in a system security plan such as that described in [SP800-39].

I see there is currently a placeholder for V1.3 Session Management Architecture. I have not followed the V1 discussions closely, but my understanding is that documentation requirements are moving to relevant chapters. @tghosth can you confirm? If so, I think this would be a good place to start for V3 (even though the NIST revision is a draft).

In terms of session timeouts, if we await the finished revision, it may not meet timelines for ASVS 5.0.

ryarmst avatar Sep 13 '24 08:09 ryarmst

I did not understand the connection between updates and documentation requirements, but at the moment we keep related documentation requirements in V1.

From proposing a requirement point of view it does not matter - make a proposal and we'll find a suitable place :)

elarlang avatar Sep 13 '24 09:09 elarlang

For V1, I opened #2076.

For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?

ryarmst avatar Sep 13 '24 11:09 ryarmst

For session timeout requirements, my question is this: should the ASVS wait for the final version of the SP 800-63B revision 4?

I don't want to delay ASVS 5.0. If we can update based on the draft and hope for the best, that would probably be ideal

tghosth avatar Sep 15 '24 17:09 tghosth

Starting with a recommendation for 3.3.2 in #2113.

ryarmst avatar Sep 25 '24 00:09 ryarmst

I am going to leave this open for later in the V2 rework process

tghosth avatar Oct 08 '24 08:10 tghosth

The best source of schedule information is https://www.nist.gov/identity-access-management/roadmap-nist-special-publication-800-63-4-digital-identity-guidelines

Hi @jimfenton - are there any updates or estimates for the release date for 800-63 v4?

elarlang avatar Mar 23 '25 18:03 elarlang

Not much in the way of an estimate. The latest I have seen from the NIST team is, "We continue make progress on our update to the Digital Identity Guidelines and hope to have them published later this year."

jimfenton avatar Mar 24 '25 13:03 jimfenton

For follow-up: version 4 seems to have been released now.

elarlang avatar Aug 18 '25 09:08 elarlang