Re: Xauth Transaction Identifier

["Stephane Beaulieu" <stephane@xxxxxxxxx>]

Hi Leemay,

>
> In your new draft, XAUTH_ANSWER is very specific to
> SecurID support. If we can relax the limitation, we
> may be able to allow the client to initiate the password
> change request. For example,

XAUTH_ANSWER is not meant to be SecurID specific at all.  Though I suppose
it is the only example that I gave of it.

>
> Client <--> GW
> <-- REQ (Username = '', pwd = '')
> REPLY (Username = 'joe', pwd = 'mypwd') -->
> <-- REQ (answer = '', msg = 'Your password is about
> to expire, do you want to change your password ?")
> REPLY (answer = 'y') -->
> <<< passowrd change details...>>>
> <-- SET (OK)
> ACK() -->
>

What you've outlined here does work.  The section you left empty (i.e.
<<password change details>>) would simply be replaced by
<-- REQ (pwd = '', msg = 'Enter your new password')
REPLY (pwd = 'mynewestpwd') -->


Though in the case you've outlined, the password change is still more or
less initiated by the edge device, though it leaves the option to the user
whether or not he/she wishes to refuse to change their password.


> Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE"
> to allow client to initiate the action.

Do you still think this might be required given my comments above?

Thanks for your input,
Stephane.