2.3.1 and 2.5.1 tags are misleading

Question

2.3.1 and 2.5.1 tags are misleading

tghosth opened this issue 3 months ago · comments

v4.0.3-2.5.1 is this:

#	Description	L1	L2	L3	CWE	NIST §
2.5.1	Verify that a system generated initial activation or recovery secret is not sent in clear text to the user. (C6)	✓	✓	✓	640	5.1.1.2

This requirement has gone through some stuff over the last few years but my understanding is that the tagging should reflect a change from v4.0.3 to v5.

The bleeding edge current tagging is:

#	Description	L1	L2	L3	CWE	NIST §
2.3.1	[MODIFIED, MERGED FROM 2.5.1] Verify system generated initial passwords or activation codes are securely randomly generated, at least 6 characters long, may contain letters and numbers, expire after a short period of time, and are single-use. These initial secrets must not be permitted to become the long term password.	✓	✓	✓	330	5.1.1.2 / A.3
2.5.1	[DELETED, MERGED TO 2.3.1]

However, I think that this has gotten confused as the requirement has evolved and the actual tagging should be as follows based on this issue.

#	Description	L1	L2	L3	CWE	NIST §
2.3.1	[MODIFIED] Verify system generated initial passwords or activation codes are securely randomly generated, at least 6 characters long, may contain letters and numbers, expire after a short period of time, and are single-use. These initial secrets must not be permitted to become the long term password.	✓	✓	✓	330	5.1.1.2 / A.3
2.5.1	[DELETED, INCORRECT]

Opinions @elarlang ?

Elar Lang · Answer 1 · Tue Apr 16 2024 14:57:52 GMT+0800 (China Standard Time)

I don't have any strong opinions on this.

Related issue #1014 and PR #1041 and merge commit 89986ce.

Josh Grossman · Answer 2 · Tue Apr 16 2024 15:17:32 GMT+0800 (China Standard Time)

Ok I opened a PR because I think this is clear cut, whatever happened afterwards is not relevant to the tagging :)