Thanks for the report, Derek. I went ahead and added the Keystone PTL.
Regarding the security status of this bug, I'm leaning toward treating this as a 'security hardening' issue as opposed to a vulnerability. That basically means that we acknowledge that this issue has important security related implications, but we won't put it under embargo and treat it with the vulnerability process. Instead, we'll work on this in the open like other bugs.
So, the suggestion here is that tokens should be automatically invalidated when a password gets changed?
Thanks for the report, Derek. I went ahead and added the Keystone PTL.
Regarding the security status of this bug, I'm leaning toward treating this as a 'security hardening' issue as opposed to a vulnerability. That basically means that we acknowledge that this issue has important security related implications, but we won't put it under embargo and treat it with the vulnerability process. Instead, we'll work on this in the open like other bugs.
So, the suggestion here is that tokens should be automatically invalidated when a password gets changed?