13.3.4 / v5.0.be-14.8.3 - Clarify "key secrets" #2971
Comments
|
Additionally, topics from #2952: Should the second part have matching documentation requirement? |
elarlang
changed the title
elarlang
added
V13 (prev V14)
1) Discussion ongoing
|
As I understand, the goal to achieve is:
This schedule part feels like a process, and I'm not fully sure how well it fits into the scope. We can say that if it is described in the documentation and then we can check when it was last changed time? |
|
Regarding the OP I would suggest just dropping "key" and leave it as: 13.3.4 Verify that secrets have defined expiration dates and are rotated on a schedule based on the organization's threat model and business requirements. |
|
For future reference, this was added here: |
|
How about the following (new 13.1.4 and modified 13.3.4): ProposalV13.1 Configuration DocumentationThis section provides documentation requirements around how the application communicates with internal and external services and the techniques to employ to prevent loss of availability due to these services not being accessible. It also considers documentation around secrets.
V13.3 Secret ManagementSecret management is a configuration task that is essential to ensure the protection of data being used in the application. Specific requirements on cryptography can be found in the "Cryptography" chapter but this section focuses on the management and handling aspects of secrets.
|
elarlang
added
the
4) proposal for review
Actually this makes a lot more sense, i like this approach |
|
Should I PR it in based on #2971 (comment)? (it requires some changes into mapping files) |
randomstuff
changed the title
|
I think there is enough consensus here to PR it, @elarlang. |
We have:
"Key secrets" means "actually very important secrets"? It looks quite like we might be talking about "secret keys" but actually we want to cover private keys, passwords and tokens as well. Should we reword "key secrets"?
The text was updated successfully, but these errors were encountered: