[Kdc-info] notes from today
Nicolas Williams
Nicolas.Williams at sun.com
Wed Nov 12 17:20:36 EST 2003
On Wed, Nov 12, 2003 at 10:43:49PM +0100, Leif Johansson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Please yell if I got it wrong. This is roughly what transpired
> today:
>
> 1. After some initial confusion about the word 'policy' we
> decided that the policy part of the model be restructed as
> follows:
>
> A policy has a
>
> Human readable name
> UUID (unique thingy)
> Description for user
> Description for admin
(localizable, one hopes - I'm not sure how you do that in LDAP :/ )
> Policy type OID
> Optional opaque parameter "DEFINED BY" the type
"Open type" is the right ASN.1 terminology.
> Each principal has a set of policy-references, at most one
> per type.
per _policy_ type.
> 2. Nico commented on the need for words about access control.
> The next version will have such words.
Yup. And note that we can now have an acl policy type; MIT krb5 would
have only one princ acl policy: "default."
> 3. We decided not to get into i18n today although we may have
> to eventually.
Oh, yeah - sorry I mention l10n above then :)
> Question: Did we decide that password quality and password
> change policy type are separate? Or are there more/fewer types
> of policy related to passwords?
All [sub-]policies related to password changing should be aggregated
under a single policy type for password changes. Min. password life,
max. pw life, min. char classes, min. pw len., dictionary check (and
_which_ dictionaries...), pw history, etc... all are part of the
password quality policy, IMO.
Cheers,
Nico
--
More information about the kdc-info
mailing list