This does bring up another point I wanted to discuss though...
This draft was written way back when it was popular to assign OIDs in
I-D's. A practice that has lost favor partly due to implementations using
those OIDs and experiencing problems as semantics changed but OIDs
didn't.
I'd like to move this I-D forward, and I don't want to be tied to any
semantics defined in previous versions. I propose that we replace the existing
OIDs with requests for IANA OIDs. This way, existing implementations won't
appear to be invalid according to the current and future revisions, and I
won't have to worry so much about breaking existing implementations.
Jim
>>> Andrew Sciberras
<andrew.sciberras@eB2Bcom.com> 10/25/04 6:08:05 PM >>>
Sorry
Jim... I see where your coming from now :)
Yep I
agree.
Andrew.
Jim Sermersheim wrote:
> Actually, I
suggested that the password expire at its max age (regardles
> of
whether any warnings have been sent).
>
> Jim
>
>
>>>>Andrew Sciberras <
andrew.sciberras@eB2Bcom.com
> 10/25/04 3:36:19 PM
>>>>
>
> G'Day
>
> I'm generally satisfied with this.
>
> If any
directories exist today that use the following model:
> * pwdMaxAge -
Absolute maximum age of the password
> * pwdExpireWarning - Time period
before the max age in which warnings
> will be delivered,
>
> Then changing the semantics of these attributes would lead to
>
unexpected
> behavior if an organization upgraded their directory
server to the new
>
> functionality.
>
> Eg. A
directory that wants to warn people 6 months before their
> password
> is due to expire.
> pwdMaxAge = 31536000 (1 year)
>
pwdExpireWarning = 15768000 (6 Months)
>
> Updating the directory
server to one that supports Jim's suggestion
> below will result in the
password reaching its max age, then remaining
>
> valid for
another 6 months.
>
>
> I'm not too sure if this is likely
to be a serious problem for
> implementations, but some text in the
security considerations of the
> draft indicating this might be
appropriate.
>
> Cheers
>
_________________________________________
> Andrew Sciberras
>
eB2Bcom - Software Engineer
>
>
> Jim Sermersheim
wrote:
>
>
>>I believe the intent (however wrongly
formulated) was to allow the
>
> user
>
>>to
receive a warning no matter what. Even if the password's max age
>
> has
>
>>passed, the user would be allowed
pwdExpireWarning seconds to change
>
> the
>
>>pwd. The definition of pwdExpireWarning talks about this in a
not
>
> very
>
>>precise way (The number of
seconds before the password will expire
>
> after
>
>>the user is first warned of its upcoming
expiration.)
>>
>>Some history to help make sense of
things:
>>
>>The password policy I-D was created as a blend
of the (then)
>
> Netscape
>
>>and Novell
directory password policies.
>>
>>I believe the original
implementors of pwdExpireWarning (Netscape)
>
> used
>
>>this to both warn of expiration, and also allow some kind of
grace
>
> login
>
>>period.
>>Novell's
implementation didn't include the notion of a warning
>
>
period.
>
>>Only a number of grace
logins.
>>
>>So now we have two ways of achieving 'grace
login'.
>>
>>A better way of specifying the pwdExpireWarning
and pwdMaxAge
>
> concepts
>
>>would have been to
use one attribute to specify an age at which an
>>expiration warning
is sent, and another attribute specified how long
>>these warnings
will continue before the password finally expires.
>>
>>I
dislike having two similar but different grace mechanisms, so
I
>>propose that we remove pwdExpireWarned, and expire the password
when
>
> it
>
>>reaches pwdMaxAge (regardless of
whether any warnings have been
>
> sent).
>
>>I'll update the I-D to reflect this without debate (because
the
>>deadline is so near), and we can go from
there.
>>
>>Jim
>>
>>
>>
>>>>>Andrew
Sciberras <
andrew.sciberras@eB2Bcom.com
> 9/14/04 7:48:25
>
> PM
>
>>Hi
Niel,
>>
>>
>>Neil Dunbar
wrote:
>><SNIP>
>>
>>>The pwdMaxAge should
be the absolute maximum time that the
password
>>
>>can
>>
>>
>>>be
used by anyone as a credential. The pwdExpirationWarning time,
I
>>>think, should be the earliest opportunity that the directory
server
>>
>>can
>>
>>
>>>warn
the user that his/her password is approaching expiry. If
the
>>
>>user
>>
>>
>>>comes
into the expiry period late in the game - tough. You
can
>>
>>always
>>
>>
>>>use
the grace logins feature to allow the user with the dud
password
>>
>>to
>>
>>
>>>change
it after it has ceased to be a meaningful credential
for
>>
>>general
>>
>>
>>>directory
operations
>>
>></SNIP>
>>
>>
>>If
someone was to implement the draft in its current form, their
>
>
first
>
>>warning time would indicate the time difference
between the current
>>time
>>and the time that the password
is due to expire. Subsequent logins
>>would
>>result in a
warning time that will go beyond the specified pwdMaxAge
>
>
>>allowing the user to receive their full warning
period.
>>
>>Our implementation, which was based around the
-05 version of the
>
> draft
>
>>handled this
inconsistency by returning an initial warning message of
>
>
>>pwdExpireWarning.
>>
>>I've now noticed, in
version -07 of the draft, that the following new
>
>
>>line exists within the description of
pwdExpireWarning:
>>If not 0, the value must be smaller than the
value of the pwdMaxAge
>>attribute.
>>
>>This
seriously implies that the author's intention is to ensure that
>>the
>>warning time does not exceed the maximum age of the
password.
>>
>>I'm not extremely passionate about whether a
user should receive
>
> their
>
>>full warning
period. Some consensus on this issue, and the author's
>>opinion
(Jim?) would be good though.
>>
>>
>>Andrew
Sciberras
>>eB2Bcom - Software
Engineer
>>
>>
>>
>>
>>
>
>
------------------------------------------------------------------------
>
>>_______________________________________________
>>Ldapext
mailing list
>>
Ldapext@ietf.org >>
https://www1.ietf.org/mailman/listinfo/ldapext
>
>
>
>