[OpenID] OpenID Assertion Quality Extension - Draft

Avery Glasser aglasser at vxvsolutions.com
Sat Dec 2 19:35:04 UTC 2006 

Daniel,

It's not a bad idea, but it doesn't actually drive any more knowledge about the security of the authentication. There are so many factors when calculating the entropy and overall security of a password that I don't think it should be included in the AQE.

Listing the password length, the criteria for the password, how long since last password change and other factors should probably be either part of the Attribute Exchange or the eventual convergence/alignment with SAML AC.

- Avery


>It might be useful to some RP's to know of any complexity schemes put
>on users' passwords.
>
>How about:
>
>password.min_length=8
>password.max_length=16
>
>the number of characters that the password is between.
>password.max_length would probably be more useful as I don't see many
>RP's complaining if the OP allows for long passwords. I can see the RP
>wanting my password to be at least for characters though.
>
>password.complexity=alphanumeric,mixed-case
>
>a comma separated list of common restrictions to the password's
>format. Some possible values: "none", "numeric", "alpha",
>"alphanumeric", "lower-case", "upper-case", "mixed-case",
>"non-dictionary", "case-insensitive"
>
>"none" or omitting one of the facets would have the effect of allowing
>alphanumeric characters of any case + possible some special
>characters. case sensitive.
>
>What do you think?
>
>Daniel E. Renfer
>http://kronkltd.net/
>
>On 12/1/06, Avery Glasser <aglasser at vxvsolutions.com> wrote:
>> All,
>>
>> Attached is the new XML for draft 2 of the AQE spec. It has been
>> checked into SVN as release 140.
>>
>> David, Can you convert it to HTML and repost it to the list?
>>
>>
>>
>>
>>
>>
>> -- Avery
>>
>> ==============================
>> Avery Glasser
>> CTO
>> VxV Solutions, Inc.
>>
>> + 1.415.992.7264 - office
>> + 1.415.290.1400 - mobile
>> + 1.415.651.9218 - fax
>>
>> 329 Bryant Street, Suite 2D
>> San Francisco, CA 94107
>>
>> email:  aglasser at vxvsolutions.com
>> i-name: =avery
>> ==============================
>>
>> This e-mail (including any attachments), is confidential and intended
>> only
>> for the use of the addressee(s). It may contain information covered by
>> legal, professional or other privilege. If you are not an addressee,
>> please
>> inform the sender immediately and destroy this e-mail. Do not copy,
>> forward,
>> use or disclose this e-mail. Thank you.
>>



-- 
==============================
Avery Glasser
VxV Solutions, Inc.

+ 1.415.992.7264 - office
+ 1.415.290.1400 - mobile
+ 1.415.651.9218 - fax

 
329 Bryant Street, Suite 2D
San Francisco, CA 94107
==============================

This e-mail (including any attachments), is confidential and intended only for the use of the addressee(s). It may contain information covered by legal, professional or other privilege. If you are not an addressee, please inform the sender immediately and destroy this e-mail. Do not copy, forward, use or disclose this e-mail. Thank you.

More information about the general mailing list