[x500standard] Re: New draft on password policy

  • From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
  • To: x500standard@xxxxxxxxxxxxx
  • Date: Wed, 23 Sep 2009 09:26:39 +0100

Hi Howard


Howard Chu wrote:

David Chadwick wrote:

Other:

One feature that both X.509 certificates and Kerberos tickets provide,
that is missing in this and the LDAP specs, is a pwdStartDate parameter.
There are expiration attributes to control when a credential stops being
valid, but no corresponding parameter to control when it starts being
valid.

In addition to allowing credentials to be disabled due to failed
authentications, and due to passing a fixed expiration date,
administrators frequently request a generic "disabled" boolean flag, for
miscellaneous non-time-related reasons.
Looks like I forgot about this. Just to note: I've added pwdStartDate and pwdEndDate to the LDAP ppolicy draft, and suggested that setting pwdStartDate to a value greater than pwdEndDate can be used for the same effect as a generic "disabled" flag.
good idea. We will change the name of our pwdCreationTime to pwStartTime and allow it to be in the future and set by the administrator. We should then have alignment on this
As an aside, dont you think we should try to align the names (and OIDs) of all our attributes when they are semantically the same. For example, we use Time rather than Date since we use GeneralisedTime as the syntax of many of our attributes. 

regards

David







--
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between the official stances of the Israeli military and events on the ground. 

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion
Israel plans to allocate $250 million over the next two years for settlements 

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************
-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

Other related posts:

  1. Home
  2. x500standard
  3. Archive
  4. 09-2009