Policies for Device Credentials

[Christian-Schmid]

Hi,

this is kind of a feature request:

We would like to be able to define a password policy for the device credentials API. With a policy it should be possible to define certain limitations / requirements for device credentials.

Some ideas we have in mind:

• Define a minimum number of characters for passwords
• Define the possible set of characters for passwords
• Limit to certain credential types only (e.g. client certificate)

Policies should be able to be configured on a global level and we also would like to be able to attach a specific policy to a specific tenant.

What do you think, is this something which should be implemented in Hono directly, or is this a specific feature which we should just implement in our custom Credentials / Tenant Implementation?

Thanks :-)

[sophokles73]

@Christian-Schmid I agree that having a password policy in place is desirable. My gut feeling is that this will be much easier to implement and enforce in a particular registry implementation. Otherwise, we will need to come up with a DSL for specifying the policy in order to make it configurable. This is, of course, also possible but will require more work, I guess. So, if you need this short term then I think you're better off implementing it in your registry yourself ...