[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Thu May 14 11:52:41 UTC 2009
Think about the policy more.
Rp decides that assertion is unreliable because of events on rp site, which rp suspects are due to idp side policy violation.
Rp send used to idp of current session, for remediation.
Idp by delegation is not the idp that was compromised. User changes password on said idp.
All idp assertions are rearmed, when some idp makes claim that password was changed. Password on other idps are no changed.
Lets say, xrds uses no https, anywhere. Thus there is little confidence in the socket info aout ip/domain control by idps
If the user subscribes to 10 rps, can be being asked to change password by any of them, at any moment (at any of n idps) else be "locked out".
So far, this is what has been said.
-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Wednesday, May 13, 2009 11:52 PM
To: Luke Shepard <lshepard at facebook.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] Password age and password reset
>This whole thing was prompted because Facebook is working to become
>a relying party.
Glad to hear it! :)
>As part of that, we would like to be able to get this extra
>information. Otherwise, we are forced to have a more draconian
>policy - if the user's account is compromised, then disable all
>OpenID logins until the user does something out of band to convince
>us that they control their provider. That's pretty awkward.
A boon to small operators who run an OP for a small group of people
they know in person, and can easily meet up with again to reset the
password out of band.
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list