On Fri, Oct 23, 2009 at 02:15:40PM -0700, Howard Chu wrote: > I'm not sure you're trying to solve the right problem yet. I'm pretty > unconvinced that account lockout is a good solution to anything, in > general. That's why I added login rate control to the latest ppolicy draft, > where the DSA simply starts inserting delays before responding to failed > authc attempts. As I see it, rate control can be managed completely within > a single DSA and no state ever needs to be replicated outward on any > particular schedule. But at the moment I haven't yet thought about how well > this will work in all the possible deployment scenarios. > > So once again, what's important here is to analyze what are the types of > attacks we expect to see, and how particular defense strategies will > behave, and how effectively they will fend off those attacks. Until you've > outlined the problems, you don't have any framework for designing the > solution. Just a quick comment: The way we understand NT4 is that the failed attempts are counted locally and only the lockout is replicated. This reduces the load a lot. Volker
Attachment:
pgpyCeN7GF4De.pgp
Description: PGP signature