[OpenID] OpenID Assertion Quality Extension - Draft

Recordon, David drecordon at verisign.com
Sun Dec 3 17:00:40 PST 2006


Yeah, we looked at this a bit when drafting the extension originally.
There are just so many factors that go into password choice/enforcement
that describing them becomes quite difficult.  It also is possible to
describe features which actually are just red herrings.  I wish it was
simpler so something could be included. :-\

Also pulling general@ off this thread.

--David 

-----Original Message-----
From: Avery Glasser [mailto:aglasser at vxvsolutions.com] 
Sent: Saturday, December 02, 2006 8:35 PM
To: Duck at Kronkltd.net
Cc: Recordon, David; specs at openid.net; general at openid.net
Subject: RE: Re: [OpenID] OpenID Assertion Quality Extension - Draft

Daniel,

It's not a bad idea, but it doesn't actually drive any more knowledge
about the security of the authentication. There are so many factors when
calculating the entropy and overall security of a password that I don't
think it should be included in the AQE.

Listing the password length, the criteria for the password, how long
since last password change and other factors should probably be either
part of the Attribute Exchange or the eventual convergence/alignment
with SAML AC.

- Avery


>It might be useful to some RP's to know of any complexity schemes put 
>on users' passwords.
>
>How about:
>
>password.min_length=8
>password.max_length=16
>
>the number of characters that the password is between.
>password.max_length would probably be more useful as I don't see many 
>RP's complaining if the OP allows for long passwords. I can see the RP 
>wanting my password to be at least for characters though.
>
>password.complexity=alphanumeric,mixed-case
>
>a comma separated list of common restrictions to the password's format.

>Some possible values: "none", "numeric", "alpha", "alphanumeric", 
>"lower-case", "upper-case", "mixed-case", "non-dictionary", 
>"case-insensitive"
>
>"none" or omitting one of the facets would have the effect of allowing 
>alphanumeric characters of any case + possible some special characters.

>case sensitive.
>
>What do you think?
>
>Daniel E. Renfer
>http://kronkltd.net/
>
>On 12/1/06, Avery Glasser <aglasser at vxvsolutions.com> wrote:
>> All,
>>
>> Attached is the new XML for draft 2 of the AQE spec. It has been 
>> checked into SVN as release 140.
>>
>> David, Can you convert it to HTML and repost it to the list?
>>
>>
>>
>>
>>
>>
>> -- Avery
>>
>> ==============================
>> Avery Glasser
>> CTO
>> VxV Solutions, Inc.
>>
>> + 1.415.992.7264 - office
>> + 1.415.290.1400 - mobile
>> + 1.415.651.9218 - fax
>>
>> 329 Bryant Street, Suite 2D
>> San Francisco, CA 94107
>>
>> email:  aglasser at vxvsolutions.com
>> i-name: =avery
>> ==============================
>>
>> This e-mail (including any attachments), is confidential and intended

>> only for the use of the addressee(s). It may contain information 
>> covered by legal, professional or other privilege. If you are not an 
>> addressee, please inform the sender immediately and destroy this 
>> e-mail. Do not copy, forward, use or disclose this e-mail. Thank you.
>>



--
==============================
Avery Glasser
VxV Solutions, Inc.

+ 1.415.992.7264 - office
+ 1.415.290.1400 - mobile
+ 1.415.651.9218 - fax

 
329 Bryant Street, Suite 2D
San Francisco, CA 94107
==============================

This e-mail (including any attachments), is confidential and intended
only for the use of the addressee(s). It may contain information covered
by legal, professional or other privilege. If you are not an addressee,
please inform the sender immediately and destroy this e-mail. Do not
copy, forward, use or disclose this e-mail. Thank you.



More information about the specs mailing list