> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Lyon > Sent: Wednesday, July 11, 2007 3:25 PM > To: [email protected] > Subject: Re: pre-validating RACF userids and passwords in application. > > > On Wed, 11 Jul 2007 15:00:04 -0500, McKown, John > <[EMAIL PROTECTED]> wrote: >
<snip> > The mindset from a security person or an auditor would be > "helping" someone > figure out userid and password naming conventions only open > up possible > security breaches. > > One would think that if someone were to attempt to access any > system on > any platform, that their userid and password should already be known. > > This is just my opinion of course. > > Pat L. > In terms of validation, I was more thinking along the lines of "I know that RACF ids can be a maximum of 8 characters, and are composed of the characters A-Z,@#$,0-9. So I'll check that the id doesn't contain anything else." I don't consider this a security problem, per se, but a way to "help" somebody (like me) who may have "fat fingered" something. Otherwise, it will not be detected unless/until the person attempts an ftp (if they even do that). So far, the consensus of opinion is to allow the far end to even do syntax verification. Sounds good to me. What I may do is to have a button like "Validate host / userid / password" so that the user can click that and attempt to connect to the host using the given userid and password. If the logon fails, I'll report that to the user. If the user doesn't want to valid at that time, then it is his problem if the ftp fails later on. That's what I'm trying to avoid. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
