Refeds


Subject Re: draft charge, refeds working group on attribute release
From Leif Johansson <leifj@xxxxxxxx>
Date Tue, 05 Jul 2011 10:10:45 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> Right, it's certainly possible to run an IdM system that doesn't even
> qualify for LoA1.  Sending passwords in the clear on the wire is a
> #fail, for example.  Such a system isn't "LoA0", it isn't anything.  But
> then a system that hasn't been assessed and certified isn't anything
> either, regardless of its practices.

I was thinking about less obvious reasons for #fail such as the
requirement to limit online dictionary attacks against your users
credentials. Not quite so easy once you start to get into the
details of it.

	Cheers Lef
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4SxwUACgkQ8Jx8FtbMZndvmgCgkQfJ7X7n5rGJp7qlA5TzeUA9
ZocAoKY6mOmYpZTYamrMXDWiGgOixpM2
=xpYC
-----END PGP SIGNATURE-----