Pasword quality pluggable interface project review
Nicolas.Williams at oracle.com
Mon Aug 30 00:24:34 EDT 2010
On Sun, Aug 29, 2010 at 12:16:59PM -0400, ghudson at mit.edu wrote:
> I uncovered one subtle issue during implementation: if a module's
> check method decides it doesn't like a new password, what error code
> should it return?
This is not at all a subtle issue.
See draft-ietf-krb-wg-kerberos-set-passwd-09 and discussions of it at
There is no way to have a code pre-assigned for every possible
sub-policy. All the well-known types of password quality sub-policies
can and should have a code assigned. For all others we should either
not allow them, have a single generic code, or have a way for the server
to send back localized text explaining the policy. For the last one
there's a need to pass a set of languages from the client to the server
and the password quality check plugins.
Finally, you'll find that using existing APIs, localizing to random
languages requires changing the entire process' locale!
More information about the krbdev