This information is usually listed on the registartion page anyway.
8-16 characters. Letters and numbers only. No spaces. Case
sensitive. - password change screen from Comcast.net
Must be at least 6 characters long. - registration page from digg.com
Choose a secure password, which:
is at least
] OpenID Assertion Quality Extension - Draft
Daniel,
It's not a bad idea, but it doesn't actually drive any more knowledge
about the security of the authentication. There are so many factors when
calculating the entropy and overall security of a password that I don't
think it should be included
It might be useful to some RP's to know of any complexity schemes put
on users' passwords.
How about:
password.min_length=8
password.max_length=16
the number of characters that the password is between.
password.max_length would probably be more useful as I don't see many
RP's complaining if the
Hi Avery, some minor tweaks/comments
1) the line 'the first method that the RP would like the OP to perform'
could be interpreted as constraining the O/IDP to performing whatever
authentication mechanism is listed as the first in a temporal sequence,
i.e. must do X then Y
This could be
Avery, below
Avery Glasser wrote:
Paul,
My feedback to your feedback...
Hi Avery, some minor tweaks/comments
1) the line 'the first method that the RP would like the OP to
perform' could be interpreted as constraining the O/IDP to
performing whatever authentication mechanism is
+1 simple and straight forward
Just curious about uses cases where the required authentication level
changes over time. For instance, a use case where to view my stock
portfolio just requires password, but doing a trade requires
voicebio. Is the expectation that authentication events can be
Hi George, for your use case below, why would not the RP just ask for
the user to be up-authenticated at the desired higher level when necessary?
Are you asking whether the RP should be allowed to ask the user to
re-present their URI in order for this to happen? And thereby
effectively
Paul Madsen wrote:
Hi
George, for your use case below, why would not the RP just ask for the
user to be up-authenticated at the desired higher level when necessary?
So in the draft... how does
the RP ask for the user to be "up-authenticated"? The authentication
request parameters do not
, November 30, 2006 2:22 PM
To: George Fletcher
Cc: specs@openid.net; [EMAIL PROTECTED]
Subject: Re: [OpenID] OpenID Assertion Quality Extension - Draft
Just to weigh in here...
Paul Madsen wrote:
Hi George, for your use case below, why would not the RP just ask for the
user to be up
+1
Avery Glasser wrote:
Actually, this could be pretty simple to implement:
Replace openid.aqe.preferred_auth_mode with the following:
openid.aqe.auth_factor1
Optional: The method of authentication the RP
would like the OP to perform, or in the case of a multi-factor
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Recordon, David
Sent: Wednesday, November 29, 2006 9:46 AM
To: specs@openid.net
Cc: [EMAIL PROTECTED]
Subject: OpenID Assertion Quality Extension - Draft
So this is the first public draft of the extension that Avery, Paul, and
I have been
11 matches
Mail list logo