Shibboleth Developers

[Leif Johansson <>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


While investigating popular identity assurance schemes we've (as in
SWAMID) run across a common theme: password strength requirements.

Specifically both InCommon Silver/Bronze, OIX FICAM LoA1, etc refer
to Appendix A of NIST SP800-63 which contains a discussion on pass-
word strength in terms of entropy.

In their OIX application process [1], Google by way of Eric Sachs
argues for rate-limiting using CAPTCHAs as a way to reduce the
practicality of online password guessing attempts.

Has this topic - rate-limiting authentication in the shib idp with
or without CAPTCHAs or other mechanisms - been discussed in the shib
developer community before? Does it seem like a viable option?
        
        Cheers Leif

[1] http://sites.google.com/site/oauthgoog/Home/passwordentropy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3lVrcACgkQ8Jx8FtbMZndI4gCgyFISNhWcH4eMuJqwk3UBUe2i
6VgAnjcfsaYnMYmtbBZeoRbgfOJxkFH8
=Fo3r
-----END PGP SIGNATURE-----