[OpenID] Password age and password reset
Breno de Medeiros
breno at google.com
Wed May 13 17:14:36 UTC 2009
On Wed, May 13, 2009 at 9:55 AM, Santosh Rajan <santrajan at gmail.com> wrote:
> Unlike the one to one scenario between the RP and user, we are scaling here.
> We might have "frivolous" RP's requesting password change at the drop of a
> hat.
As I mentioned before, I think trust issues should be handled
separately. I think we all agree that (1) such extension would not be
mandatory; (2) there would be latitude for OPs to use RP reputation
metrics or any other discretionary approach.
>Also once the RP decides that the user has to
>change the password the RP should inform the user and OP immediately and not
>wait for him to log in again via OpenID.
Sure, presumably by sending an email to the user account. That channel
may or not prove more timely than notification when the user tries to
sign in to the account. Again, I am not proposing that such approach
should substitute anything else. I just think all the alternatives
presented here so far (even in combination) may not be sufficient to
address this case, either from a usability perspective, or even from a
purely security perspective (the signal from RP to OP could have value
for both, whether of not side channels exist. For instance, they
indicate that a user, possibly malicious, is actively trying to
recover the account.).
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list