On 7/11/2007 7:21 PM, Paul Gilmartin wrote:
Here, there seems to be some shortsightedness in the RACF design:
o If RACF is configured in the ASIS mode, all upstream facilities
which accept passwords and make SAF calls to validate them must
treat the passwords ASIS.
Yes.
o If RACF is configured in the CAPS mode, RACF should perform the
folding; else it becomes the burden of every upstream facility
to replicate the RACF option (or query RACF or RACF's PARMLIB
entry) to determine whether to fold. Better for RACF to
perform the folding if necessary and all upstream facilities to
pass passwords ASIS to the SAF interface.
I agree. However, that design occurred over 30 years ago, and we would
not change it now. Most applications that call RACF are older ones that
need to change anyway to accomodate mixed-case passwords.
If the administrator has configured RACF for mixed-case support, then
RACF will handle upper-casing if needed for a particular user.
The ugly scenario occurs when a site which has been operating in
FOLD mode for decades chooses, motivated by an auditor's evaluation,
to convert to ASIS mode. Then, all upstream folding utilities
must be rewritten and users must learn to lean on the SHIFT key
until they change their passwords to adapt.
Not true. The applications simply need to stop folding when they detect
mixed-case enablement. If a user still has an upper-case password, and
the application presents it without folding, RACF will upper-case it
when configured for mixed-case.
The same applies to userids. I believe there is no support for
mixed case userids, but RACF should, as a courtesy, fold them
also to avoid replication of code upstream and to allow for
mixed case userids in some future era.
Good suggestion, though I don't know of any plans to allow mixed-case
IDs. That affects a lot more than just the logon interface.
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
