Josh Grossman

I propose deleting this as insufficient impact, I don't think this temporary code is important enough or long lived enough for me to care how it is stored.

We currently have this requirement: | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---:...

> Should we explicitly mention "maximum cryptoperiod of 1 to 3 years for private keys"? But if we say that, do we not need to also mandate a whole bunch...

@ImanSharaf waiting for a response here

@ImanSharaf :)

This is another weird NIST artefact, I think we consider this in the V2 rework but it seems likely we will need to do something drastic with this chapter.

Opened #2242 to resolve this clear duplication

Ok so this raises an interesting question. I see two threat scenarios here: 1. An application deliberately requires more sensitive permissions than it needs. 2. An attacker/malicious developer/misguided developer introduces...

OK so how about: | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: |...

Ok so I did some more reading on this and I have identified a few problems. 1) As Elar says, [the number of supporting browsers](https://github.com/OWASP/ASVS/issues/1755#issuecomment-1762778518) for the newer header is...