[x500standard] Re: New draft on password policy

• From: David Wilson <David.Wilson@xxxxxxxxx>
• To: x500standard@xxxxxxxxxxxxx
• Date: Thu, 16 Jul 2009 13:50:16 +0100

On Tue, 2009-07-14 at 17:35 -0700, Howard Chu wrote:
> > Section 18.1.6:
> >     a) why is pwdQualityRule single-valued? Without an initial set
> of rules to
> > serve as examples, it's difficult to evaluate the usefulness of this
> > attribute. I would expect that multiple orthogonal rules will be
> defined and
> > that a policy would allow combinations of these rules to be chosen.
> IMO this
> > attribute should be multi-valued and at least one or two
> prototypical rules
> > need to be part of the spec. As an example, a rule that validates
> the
> > plaintext of a password against a regular expression would be
> useful.
> 
> In thinking about what custom modules we've implemented for this in
> the past, I propose a couple rules for usage. First of all, assume
> that pwdQualityRule is multivalued, where each value defines a single
> type of rule, and a given password must pass every rule to be valid.

I've been ruminating over this, and I'm not sure that a multi-valued
attribute in each user's entry is what is needed.

In a given installation, the policy on password quality will probably
boil down to just a few sets of rules. You might have stricter rules for
administration passwords than for ordinary users, for instance. But I
don't think you would want to have much variation.

So, you don't really want to have to express all of the conditions for
each user in their own entry. (You could, I guess, use collective
attributes for this, if available, but that is also not ideal).

I would think that what you need for this is for user entries to have
some indirect reference to the locally configured quality policy which
is to be applied. And these local quality policies are configured within
the DSA.

I also think that not having the actual rules visible gives a very
slight security advantage, as knowledge of the rules would enable an
attacker to reduce the scope of a search.

Another interesting debate is over the whole issue of password quality,
as in:

<http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf>

best regards

David Wilson

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

• Follow-Ups:
  • [x500standard] Re: New draft on password policy
    • From: Howard Chu

• References:
  • [x500standard] Re: New draft on password policy
    • From: Howard Chu
  • [x500standard] Re: New draft on password policy
    • From: Howard Chu

Other related posts:

• » [x500standard] New draft on password policy- Erik Andersen
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy - David Wilson
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- Kemp, David P.
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- Santosh Chokhani
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- David Wilson
• » [x500standard] Re: New draft on password policy- Santosh Chokhani
• » [x500standard] Re: New draft on password policy- David Wilson
• » [x500standard] Re: New draft on password policy- Santosh Chokhani
• » [x500standard] Re: New draft on password policy- Howard Chu
• » [x500standard] Re: New draft on password policy- David Wilson
• » [x500standard] Re: New draft on password policy- Kemp, David P.
• » [x500standard] Re: New draft on password policy- Santosh Chokhani
• » [x500standard] Re: New draft on password policy- David Wilson
• » [x500standard] Re: New draft on password policy- David Wilson
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- Kemp, David P.
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- David Chadwick
• » [x500standard] Re: New draft on password policy- Kurt Zeilenga
• » [x500standard] Re: New draft on password policy- David Chadwick

1. Home
2. x500standard
3. Archive
4. 07-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---