On Wed, 11 Jul 2007 15:00:04 -0500, McKown, John <[EMAIL PROTECTED]> wrote:
>Should I "help" the user by double >checking for possible bad userids (too long, bad characters), assuming >that the userid criteria in RACF is unlikely to ever change? Or should I >just pass along whatever the user types in without any validation so >that the program does not need to worry about any possible future RACF >enhancements? > >-- >John McKown The mindset from a security person or an auditor would be "helping" someone figure out userid and password naming conventions only open up possible security breaches. One would think that if someone were to attempt to access any system on any platform, that their userid and password should already be known. This is just my opinion of course. Pat L. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
