ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Consideration of Appropriate Cryptoperiods as per NIST Guidelines

Open ImanSharaf opened this issue 2 years ago • 5 comments

In light of enhancing ASVS cryptographic key management practices, it's advisable to consider aligning our cryptoperiods with the recommendations provided by the National Institute of Standards and Technology (NIST). NIST 800-57 suggests a maximum cryptoperiod of 1 to 3 years for private keys associated with certificates. This issue aims to initiate discussions and subsequent actions towards reviewing and possibly amending current ASVS key management practices in line with NIST guidelines.

image

ImanSharaf avatar Oct 11 '23 17:10 ImanSharaf

I think this is too long. I suggest "no long-term keys" for any reason.

jmanico avatar Oct 12 '23 00:10 jmanico

We currently have this requirement:

# Description L1 L2 L3 CWE
1.6.1 Verify that there is an explicit policy for management of cryptographic keys and that a cryptographic key lifecycle follows a key management standard such as NIST SP 800-57. 320

I would be quite hesitant to start trying to mandate too many details of this directly...

tghosth avatar Oct 23 '23 15:10 tghosth

Should we explicitly mention "maximum cryptoperiod of 1 to 3 years for private keys"?

ImanSharaf avatar Oct 23 '23 20:10 ImanSharaf

Should we explicitly mention "maximum cryptoperiod of 1 to 3 years for private keys"?

But if we say that, do we not need to also mandate a whole bunch of other requirements?

tghosth avatar Oct 25 '23 06:10 tghosth

@ImanSharaf waiting for a response here

tghosth avatar Jan 25 '24 11:01 tghosth

@ImanSharaf :)

tghosth avatar Jun 19 '24 17:06 tghosth

Sorry for delay. We can close this one.

ImanSharaf avatar Jun 19 '24 17:06 ImanSharaf