[OpenID] Password age and password reset
SitG Admin
sysadmin at shadowsinthegarden.com
Thu May 14 02:39:04 UTC 2009
>Unlike the one to one scenario between the RP and user, we are scaling here.
>We might have "frivolous" RP's requesting password change at the drop of a
>hat.
They may request it, they won't necessarily get it. If the RP doesn't
receive password change, it can of course impose the standard penalty
- i.e., limited to itself. If the user wants to login to that RP,
they must change their password - but they are not forced to change
their password *immediately*, they can always do it "later", sometime
between then and when they next log in to the RP, possibly modified
by the RP's policy of not granting access within X hours of a
password having been reset. In the meantime, they can continue
logging in to *other* RP's, who do not share the password change
request policy.
-Shade
More information about the general
mailing list