[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Wed May 13 13:33:30 UTC 2009
my gut feeling is that openid should stay clear of normalizing user authentication. Let schemes plugged into a particular OP to worry about authentication, and (re)provisioning of authentication information (such as passwords).
The only thing an RP cares about is the id of the OP and the pape level. (Arguably, it cares about authInstant - and Im willing to be convinced one way of the other, seeing as a Yahoo assertion may relate to an authentication act upto 2 weeks ago - which as an RP Id want to reject - in general).
Standardizing user authentication schemes is a miserable task. Leave it to vendors. They have 25 years experience.
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Allen Tom [atom at yahoo-inc.com]
Sent: Tuesday, May 12, 2009 10:09 PM
To: SitG Admin; general at openid.net
Subject: Re: [OpenID] Password age and password reset
SitG Admin wrote:
>> Perhaps the best solution would be for the RP to just inform the user
>> of suspicious activity, and to recommend that the user change their PW.
>
> Inform the user how? If the RP is detecting a recently changed
> password, they can't detect suspicious activity until after the
> password has changed - and then, it probably IS the attacker (not the
> user) who is connecting to the RP.
>
Well, in the original proposal, the RP would tell the OP to tell the
attacker to change the password. I still don't quite understand the
proposal and the attack scenarios that it's trying to defend against.
Allen
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list