[Freeipa-devel] [PATCH 0066] Make ipatokenTOTPwatermark a required attribute
Nathaniel McCallum
npmccallum at redhat.com
Thu Sep 18 18:22:07 UTC 2014
On Thu, 2014-09-18 at 14:18 -0400, Simo Sorce wrote:
> On Thu, 18 Sep 2014 13:56:44 -0400
> Nathaniel McCallum <npmccallum at redhat.com> wrote:
>
> > -objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP'
> > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $
> > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $
> > ipatokenTOTPtimeStep) MAY (ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP')
> > +objectClasses: (2.16.840.1.113730.3.8.16.2.2 NAME 'ipatokenTOTP'
> > SUP ipaToken STRUCTURAL DESC 'TOTP Token Type' MUST (ipatokenOTPkey $
> > ipatokenOTPalgorithm $ ipatokenOTPdigits $ ipatokenTOTPclockOffset $
> > ipatokenTOTPtimeStep $ ipatokenTOTPwatermark) X-ORIGIN 'IPA OTP')
>
> NACK, you cannot move from MAY to MUST.
This is precisely what we have been discussing on IRC today. The
consensus was that this was acceptable because of the update plugin and
the rarity of the state in which a token would not have
ipatokenTOTPwatermark set (the token has to be created an never used).
Nathaniel
More information about the Freeipa-devel
mailing list