-----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Lyon Sent: Wednesday, July 11, 2007 3:25 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: pre-validating RACF userids and passwords in application.
On Wed, 11 Jul 2007 15:00:04 -0500, McKown, John <[EMAIL PROTECTED]> wrote: >Should I "help" the user by double >checking for possible bad userids (too long, bad characters), assuming >that the userid criteria in RACF is unlikely to ever change? Or should >I just pass along whatever the user types in without any validation so >that the program does not need to worry about any possible future RACF >enhancements? > >-- >John McKown The mindset from a security person or an auditor would be "helping" someone figure out userid and password naming conventions only open up possible security breaches. One would think that if someone were to attempt to access any system on any platform, that their userid and password should already be known. <SNIP> I know my userid and password. However, who (or what) converts it to upper case in a z/OS environment? An I/O buffer trace between my "terminal" and the host shows that they are all sent in lower case. But my system is not using the new RACF function/feature (that accepts mixed case). So who does the conversion? We know that it has to be done (fold to upper), because we have a product that has a SAF interface. If you have its interface option set to "ASIS" and then you do not give your userid in upper case to it, your login will fail. Same is true of the password. So the mindset of auditors and security persons who do not know the behind the scenes tech issues is just so much noise (my opinion). Regards, Steve Thompson ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
