[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
- To: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Subject: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
- From: simo <idra@samba.org>
- Date: Mon, 31 Mar 2008 20:03:51 -0400
- Cc: x500standard@freelists.org, LDAP Extensions list <ldapext@ietf.org>
- Delivered-to: ldapext@core3.amsl.com
- In-reply-to: <5C148842-FAD8-4535-BD19-383065C87781@Isode.com>
- Organization: Samba Team
- References: <20080331174501.8F71328C198@core3.amsl.com> <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com> <1206997641.24112.10.camel@localhost.localdomain> <5C148842-FAD8-4535-BD19-383065C87781@Isode.com>
On Mon, 2008-03-31 at 16:13 -0700, Kurt Zeilenga wrote:
> > What is the reason for the proposed approach is preferred to this
> > alternative one ? (I am assuming both have been considered)
>
> I believe that when the expiration policy is changed from N to M days,
> the policy administrator expects that policy to be applied to all
> passwords, not just those set after the policy change.
Thanks, this is the clarification I was seeking.
> > 3)
> >
> > 4.2. Minimum Length
> >
> > The Minimum Length constraint restricts the length of allowed
> > passwords, requiring all passwords to have at least the number of
> > octets specified in the parameter. [...]
> >
> > Here minimum length is expressed in octects, but in UTF-8 multiple
> > octects can encode for a single character. And therefore a password
> > can
> > be 'shorter' is simply octect are counted.
> >
> >
> > Shouldn't the minimum length indicate the minimum number of
> > characters ?
>
> A password doesn't necessarily consist of character data, so specify
> their length in characters doesn't make any sense.
In 4.1 you proposed a constraint that password conforms to UTF-8.
In this case data definitely consist of characters.
An administrator, I think, would definitely be confused/disappointed to
discover that the minimum number of characters accepted varies depending
on the language used.
(Most latin languages uses mostly 1 byte characters, while many other
languages will use regularly 2 byte (or more) wide characters).
Should we have a default 'Minimum Length of Characters' constraint to
pair to the UTF-8 constraint of 4.1 ?
> > 4)
> >
> > The number of constraints seem quite limited, are you open to
> > suggestion
> > for more constraint types that are currently commonly used in various
> > server implementations ?
>
> Yes.
Thanks,
there are some encoding (utf-8) dependent constraints that are widely
used like:
- minimum length in characters
- maximum number of repetitions of the same character in a password
- minimum number of alphabetic characters
- minimum number of lower case characters
- minimum number of upper case characters
- minimum number of digits
- minimum number of special characters (usually ASCII characters that
represent symbols, but may be extended to other symbols in the UTF-8
space)
- minimum number of ASCII characters (as opposed to other utf-8
characters)
- complexity checks, like the checks performed by the cracklib library
to make sure the user name (or other user data) is not used as part of
the password itself, or the password is not too similar to a dictionary
word (locale dependent sometimes).
There is also often a kind of meta-constraint:
- minimum number of constraints that must pass their criteria
This allows a greater number X of constraints but accept the password
even if only Y < X of them is fulfilled. An example configuration is to
enable all constraints but require that only say 4 of them must be met
at the same time to consider the password strong enough.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext