-
-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.7.6 and 2.7.7 are in conflict #1813
Comments
2.7.7 says to use rate limiting if the authentication code is less than 64 bits.
|
Like you should not use rate limiting by default... it's confusing. |
The requirement 2.7.7 got in via 401fe46 from issue #1410 (comment) I assigned this issue to @tghosth as the author of 2.7.7 (#1410) and @jmanico as the author of this issue. |
I don't think they are in conflict, they are additive. |
My vision is, that there should be rate-limiting anyway and always used. What could be the reason do not have it? It means, for me 2.7.7 is in a way duplicate of rate-limiting requirements, such as:
Maybe we can merge 2.7.7 to 2.2.1 or to 11.2.2. Rest of the 2.7.7 can be considered as duplicate of 2.7.6, if there is a need to increase the entropy, it can be done with 2.7.6. |
@aholmis is correct, this is is how we have interpreted the NIST requirements. The duplication thing is a tricky question. I think we need a way of having a blanket rate-limiting requirement or at least just one covering authentication flows. I would punt this to V2 rework. |
One suggests 20 bits
Another suggests 64 bits
The text was updated successfully, but these errors were encountered: