On Mon, 26 Jan 2009 07:43:38 -0600, Chase, John <[email protected]> wrote: >Sounds like a "chicken <-> egg" situation. If RACF didn't fold >passwords initially, that suggests that uppercase-only passwords were >not "mandatory" at least as far as RACF was concerned. The question >then becomes one of why applications "mandated" uppercase-only passwords >in the first place.
I suspect that it all started with TSO rules about passwords being in upper-case, which RACF then inherited. ADDUSER and ALTUSER use TSO parsing services, which upper-cased the password in accordance with the TSO password rules that pre-dated RACF's existence. And TSO already upper-cased the passwords to make its comparisons with passwords stored in UADS. Since RACF never saw passwords in anything but upper-case, as other applications started supporting RACF (initially IMS and CICS, I believe) they had to abide by TSO's processing, and upper-case the passwords before presenting them to RACF. And it went on from there. It would have been much simpler all around had RACF not required that processing of the applications calling it, but it did. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
