[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal 1.0.2RC6



--On Thursday, December 13, 2007 12:56:07 PM -0800 "Henry B. Hotz" 
<hotz@jpl.nasa.gov> wrote:

> I would be happy if it didn't loop at all.  For the use cases I currently
> have the looping ought to be done at the application layer, not in
> Heimdal, but it might be easier to just re-run the app.  (E.g. login
> fails.  Just try to log in again.)  Does this make it easier?

No; the problem is that bad or just incorrectly configured code can end up 
trying multiple times with the same password, without notifying the user. 
We've seen the same thing, though fortunately never in a case where the 
"password" was being used as a PIN, because I agree with Love -- something 
which is passed around as a "password" is very often _not_ a PIN for a 
smartcard or other token, and treating it that way can make the user very 
sad.

-- Jeff