Sjoerd Langkemper

I think capitalization is partially subjective or a matter of taste, as opposed to a strict grammar rule that is right or wrong. There are several style guides with an...

I think the requirement should be to have a clear contact address for security issues. Whether that is a security.txt or a contact form doesn't really matter to me.

The answers to [What is the best way to calculate true password entropy for human created passwords? - Information Security Stack Exchange](https://security.stackexchange.com/questions/265350/what-is-the-best-way-to-calculate-true-password-entropy-for-human-created-passwo) give some reasons why it's not so simple...

> Verify that lookup secrets have at least 112 bits of entropy NIST says: > Look-up secrets SHALL have at least 20 bits of entropy. > > ... > >...

> 123456 is one number containing six digits > 123456 is probably not a random number :) The point was the distinction of definition between the words "number" and "digit"....

> or that this was formally considered and rejected I think developers that use ASVS can formally reject any ASVS requirement, if they think it does not apply to them...

The existing requirement already says that TLS is sufficient, and in this discussion we seem to agree on that. Per-message digital signatures can be provide additional security in specific cases,...

> Verify that service authentication uses either ... I think we should have a requirement that requires authentication between services. > either mTLS or a credential I think other methods...

No, I don't really have anything to add other than what I already described above.

No, not other than what I said above. I think the requirements should specify application behaviour and not implementation.