Josh Grossman
Josh Grossman
Hi @gobrtg, Thanks for taking the time to suggest this. A few thoughts: * Specifically on 2.2.1 I think that the requirement needs some [TLC](https://dictionary.cambridge.org/dictionary/english/tlc) as it is a little...
I think this was an interesting idea but probably more suitable for a separate project so I think we can close for now.
So this requirement is talking about "system generated initial passwords or activation codes". I initially thought it was talking about or OTPs or TOTPs but I am pretty sure that...
@jmanico @elarlang 1) The complexity requirements are relevant because this is a randomly generated password and therefore the arguments against complexity don't apply. 2) It should expire because the nature...
> @jmanico I also thought at first that this applied to OTPs such as 2FA codes sent through SMS. Would it make sense to mention that or include another requirement...
I am going to leave this for the V2 rework
https://pages.nist.gov/800-63-4/sp800-63b.html#password no longer seems to distinguish regarding length so I don't think we need to mention length here but rather we can say: | # | Description | L1 |...
@aholmis is correct, this is is how we have interpreted the NIST requirements. The duplication thing is a tricky question. I think we need a way of having a blanket...
I think it makes sense to have these as separate requirements for this particular topic as they relate to a particular mechanism. I would propose no further action at this...
What is the suggested action at the requirements level here @bitnesswise? We are not going to rule out JWTs although we do need some form of session revocation mechanism. This...