assurance - [Assurance] Renewing an Expired authentication secret: 4.2.4.3
Subject: Assurance
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [Assurance] Renewing an Expired authentication secret: 4.2.4.3
- Date: Thu, 10 Jan 2013 15:09:29 +0000
- Accept-language: en-US
|
Based on your reading of 4.2.4.3 for credential renewal… I am interpreting that changing your password after it expires (i.e. 90 days) would be considered a “renewal”. According to 4.2.4.3 prior to renewal, subject must prove possession of an
unexpired current authentication secret (i.e. password). With that requirement, it would appear that you shouldn’t be able to reset/change your password after it is expired. However, if your account is not administratively disabled, and it is just your expired password that is denying you access
to services (email, network, ERP), would it not be OK to be able to do a self-service change password even after it expired, as long as you know the old password? Where I get hung-up in reading this is the case where the subject CAN prove possession of the current (although expired) Authentication Secret, but the methods #1 and #2 do not apply since the secret CAN be supplied. Is the wording vague or am I reading this incorrectly? 4.2.4.3 CREDENTIAL RENEWAL OR RE-ISSUANCE Appropriate policy and process must be in place to ensure that any new Credential and/or new Authentication Secret is provided only to the actual Credential Subject should it be necessary to reissue an Authentication Secret, e.g., due to suspected compromise or the Subject having forgotten the Secret, or to reissue a Credential
due to expiration.
This process must be at least as trustworthy as the process used for initial issuance of the Credential. Prior to the IdPO allowing renewal or re-issuance of a Credential, the Subject must prove possession of an
unexpired current Authentication Secret
or, if the Subject cannot supply the current Authentication Secret,
one of the following methods may be used: 1. The Subject must supply answers to pre-registered personalized questions designed to be difficult for any other person to know; 2. A short-lived single use Secret sent to the Address of Record that the Subject must submit in order to establish a new Authentication Secret. Replacing a forgotten Authentication Secret can be accomplished at any time using the above methodology. Authentication Secrets shall not be recovered; new Secrets shall be issued. After expiration of the current Credential or Authentication Secret,
or if none of the alternative mechanisms specified above are successful,
renewal and re-issuance shall not be allowed.
The Subject must re-establish her or his identity with the IdPO as defined in Section 4.2 above. All interactions conducted via a shared network shall occur over a Protected Channel such as SSL/TLS. Jeff Capehart, CISA |
- [Assurance] Renewing an Expired authentication secret: 4.2.4.3, Capehart,Jeffrey D, 01/10/2013
- Re: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, David Walker, 01/11/2013
- RE: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, Dunker, Mary, 01/11/2013
- Re: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, Eric Goodman, 01/11/2013
- Re: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, David Walker, 01/13/2013
- RE: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, Eric Goodman, 01/14/2013
- Re: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, David Walker, 01/13/2013
- Re: [Assurance] Renewing an Expired authentication secret: 4.2.4.3, David Walker, 01/11/2013
Archive powered by MHonArc 2.6.16.