[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] [x500standard] Password Policy Administrative Model
- To: x500standard@freelists.org
- Subject: Re: [ldapext] [x500standard] Password Policy Administrative Model
- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Mon, 16 Feb 2009 15:44:13 +0000
- Cc: "'LDAP Extensions list'" <ldapext@ietf.org>
- Delivered-to: ldapext@core3.amsl.com
- In-reply-to: <01a501c893b7$80659ba0$9801a8c0@softwareaus.com.au>
- Organization: University of Kent
- References: <20080331174501.8F71328C198@core3.amsl.com> <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com> <01a501c893b7$80659ba0$9801a8c0@softwareaus.com.au>
- User-agent: Thunderbird 2.0.0.19 (Windows/20081209)
Hi Andrew
we have just been editing the password policy working document and have
addressed the issues you raised in your message below.
Andrew Sciberras wrote:
Hi Kurt,
Just some comments that are specific to the administrative model.
3. Password Policy Administrative Model
Administrative Area Scope
In [BEHERA] it was stated that a password policy could be defined for a
specific user by creating a password policy subentry directly under that
entry. To me, this suggests that password policy administrative points act
like specific administrative areas.
Is this behavior intended to remain?
yes.
Administrative Role
In accordance with X.501 and RFC3672, do you intend to define an
Administrative Role attribute value to identify that a particular
administrative area is concerned with password policy administration?
Yes this is defined.
Multiple Policies
I assume that the draft allows multiple passwdPolicy subentries to exist
below a given administrative point...
Yes this is the case, but no two policies must overlap for the same
password attribute type.
This should be explicitly clarified in
the I-D.
Multiple subentries could be used to allow policies to apply to different
attributes,
Yes, this is now achieved by having a MUST CONTAIN myPwdAttributeTypes
attribute in the password policy subentry, which lists the password
attribute types that are being covered by this policy.
or to allow different policies to apply to a given password
attribute conditionally,
No, we dont allow this as it would be too confusing. Which policy would
have precedence?
based on the objectClass of an entry (~ using
subtreeSpecification's).
Yes this is allowed.
However, policies may also be created that inadvertently (or otherwise)
conflict with each other.
No this wont be the case, since the directory software should stop a
password policy subentry from being created (or an old one being
modified) if it causes an overlap of password policies for a given
password attribute type in a given subtree. The alternative is to try to
define the policy conflict resolution algorithm if two opposing policies
apply to a given password attribute in an entry. But this is difficult.
For example, what if one policy says encrypt passwords and another says
dont. What should the DSA do? Or one policy says encrypt with MD5 and
another one says encrypt with AES?
Clarifications on this should probably be made to avoid confusion.
I hope we have now clarified the situation.
regards
David
Regards,
Andrew Sciberras
eB2Bcom
-----Original Message-----
From: ldapext-bounces@ietf.org [mailto:ldapext-bounces@ietf.org] On Behalf
Of Kurt Zeilenga
Sent: Tuesday, 1 April 2008 4:56 AM
To: LDAP Extensions list
Cc: x500standard@freelists.org
Subject: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
This I-D provides an alternative to draft-behera-ldap-password-policy-
xx.txt. Appendix provides a discussion of this approach differs, and
why.
The I-D is a bit rough around the edges...
-- Kurt
-----
www.x500standard.com: The central source for information on the X.500 Directory Standard.
--
Saying that Israel is justified in assaulting Palestine because of
Hamas' rockets is like saying the UK should have bombed Belfast when
the IRA was active. http://stopwar.org.uk/
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext