[OpenID] Password age and password reset
Breno de Medeiros
breno at google.com
Wed May 13 02:33:59 UTC 2009
Do RSA PEAP RPs implement analysis on 'soft' signals to detect
possible credential theft? I do not think so, at least not
customarily. On the other hand, websites using a traditional password
system often implement such strategies to detect possible account
takeover/fraud. By switching to an OpenID based sign-in, at least some
of the signals are lost.
2009/5/12 Peter Williams <pwilliams at rapattoni.com>:
> In most nac regimes, such those requiring periodic health recertification (and rekeying of the peap-tls authenticator, or getting a new tokencode from such as a connected peap-rsa token device), it is the rp role that defines the period.
>
> In rsa peap, the rp is not entitled to know anything about the users pin. An idp can interact, for pin distrijution, pin refresh, rekey peap session keys etc..
>
> Don't see why openid cannot be another nac enforcement scheme (alongside ipsec healh certs, saml assertions)
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list