3.6.1 "Subscriber" is not defined

[ike]

Hi there! This is my first issue, and I am new to application security as well as standards development in general. I have been a software developer for over ten years, mostly in web development. I have always had an interest in secure coding, but six months ago I started working as an AppSec Champion in my organization. I appreciate the work here tremendously! I have already used the ASVS to create checklists for our organization.

I would appreciate any critical feedback on how to be useful to the work here

I think that 3.6.1 could be updated to more clearly state the requirement. Does "subscriber" refer to the end user, or the RP? I realize that since I don't work on Federated CSPs this may be standard language that I am just unfamiliar with.

3.6.1 - Verify that relying parties specify the maximum authentication time to Credential Service Providers (CSPs) and that CSPs re-authenticate the subscriber if they haven't used a session within that period.

I would be happy to submit a PR with some updated language if that's helpful.

Thanks,
Isaac Lewis

[jmanico]

Thanks for joining us! I think the "subscriber" is the end user here. New language would be helpful, go for it!

[jmanico]

Its merged! :)