Re: Password Policy and Account Lockout Policy for KeyStorage

Considering there has been absolutely no discussion of passwords, I think
you are really jumping ahead quite a few steps. I would say supporting or
requiring passwords - per-origin or in general - is not something I would
support. So any discussions about things like password strength or lockout
is too far.

Given that the security description of this API in both working drafts
hopefully makes it very clear what guarantees are provided by the API - and
which are not - I do not think this is something that fits into our work.

You can easily implement this in your own application using a hosting
origin that requires a user to confirm to your policies, so I do not see
any reason why it would need to be specified in the API. It is thus already
supported and in a much cleaner way.
On Jan 14, 2013 2:53 AM, "Mountie Lee" <mountie.lee@mw2.or.kr> wrote:

> Hi
> I have a question.
>
> when I discuss with internal Korean Members
> I found the requirement for password and account lockout policies for
> keyStorage.
>
> Password and Account Lockout policies are normally covers followings
> - password complexity
> - password duration
> - allowed attempts
> - lockout duration
> - prevent to use already used passwords
> - timeout
> - ...
>
> I'm not sure it is belong the scope of our working group
> but when we considering the security compliances, it is required feature
> (binary plugins were implementing it)
>
> any comments?
>
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
> =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
>
>
>

Received on Monday, 14 January 2013 11:22:15 UTC