[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy OIDs

To: John McMeeking <jmcmeek@us.ibm.com>
Subject: Re: [ldapext] Password Policy OIDs
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 08 Dec 2004 12:19:21 -0800
Cc: Duane Buss <DBuss@novell.com>, ldapext-bounces@ietf.org, "Neal-Joslin, Robert \(HP-UX Lab R&D\)" <bob.joslin@hp.com>, Tammy Green <TGREEN@novell.com>, ldapext@ietf.org, Jim Sermersheim <jimse@novell.com>
In-reply-to: <OFC574F1DB.A5A5747C-ON86256F64.006A8DF7-86256F64.006D053E@us.ibm.com>
References: <OFC574F1DB.A5A5747C-ON86256F64.006A8DF7-86256F64.006D053E@us.ibm.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

John McMeeking wrote:


You asked if the "# of" expression is valuable?  I don't know.  The few
groups I've dealt with don't have rules as complex as "satisfy 3 of 4 rules
plus the following" unless you were going to try to express "must have n
letters + at least of the following: number, special character, mixed case
letters" in that way.  I would hope that rule can be expressed as a single
rule, not "rule1 AND 1 of {rule2, rule3, rule4}"

Like Jim, I expected that an AND of all rules would be sufficient.  I know
I'd hate to be the user trying to figure out what passwords I'll be able to
use.

If password policy uses something like either your syntax or the AND/OR/...
suggestion from Jim, I suggest that we try to keep the rules (and their
arguments) separate from the specification of which rules must be
satisfied.  I'm not feeling very inventive for attribute names, but I'd
hope it would be something like:

Yes, I think it would be smart to separate the rule specification from this point, so as not to slow things down here any further.

Although I'll reiterate that if you want to express rules that are applied sequentially and conditionally, you're talking about a program and a programming language. And I think it is wrong to invent a new programming language here. Also, we *are* talking about sequential and conditional application of rules; simple Boolean combinations of a static set of rules is going to drive everyone crazy. As Robert already said, the combinations grow exponentially.


pwdPolicySubrule: Rinc inclusion-policy-oid <data for this rule --
A-Z,a-z,0-9 >
pwdPolicySubrule: RdictA dictionary-policy-oid <data for this rule --
dictionary A >
pwdPolicySubrule: RdictB dictionary-policy-oid <data for this rule --
dictionary B >
pwdPolicySubrule: Rmin3 minlength-policy-oid <data for this rule -- at
least 3 chars>
.....
pwdPolicyRule: 3 of (Rinc, RdictA, RdictB) AND Ryear AND Rmon
[I know I slaughtered your example, but...]

That is:
- pwdPolicyRule can be expressed using just rule names and logical
expressions
- pwdPolicySubrules specify the details of each subrule (name of the rule
instance, OID of the particular policy, and arguments)

That allows individual policies to be mixed and matched, or plugged in,
while having a managable overall policy enforcement that only needs to know
if a given password satifies each sub rule without getting bogged down in
the details of a given rule.


--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Password Policy OIDs
  - From: John McMeeking <jmcmeek@us.ibm.com>

References:
- RE: [ldapext] Password Policy OIDs
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: RE: [ldapext] Password Policy OIDs
Next by Date: RE: [ldapext] Password Policy OIDs
Index(es):
- Chronological
- Thread