[OpenID] Password age and password reset
SitG Admin
sysadmin at shadowsinthegarden.com
Thu May 14 16:04:45 UTC 2009
>If the user subscribes to 10 rps, can be being asked to change
>password by any of them, at any moment (at any of n idps) else be
>"locked out".
>
>So far, this is what has been said.
The policy for one RP does not extend to the other RP's - if the one
RP suspects that the user's password is too old (or too new), it can
send the user back to the OP with an assertion for and from ITSELF
(not any other RP's) that the user will be "locked out" from the one
RP until certain conditions have been met.
There is a related discussion on the specs list about group ID's,
some implementations of which could result in multiple concurrent
active sessions - usually a sign of suspicious activity.
-Shade
More information about the general
mailing list