Manger, James wrote: > 1. Is the ABNF in terms of bytes or Unicode code points?
I'd agree with the recommendation to use UTF-8. > 4. Empty password. > > An empty password is not secure, but a 1-char password isn’t appreciably > better. What is the reason for saying “a password MUST NOT be zero bytes > in length”? I would drop this requirement. RFC 2865 (RADIUS) contains prohibitions against zero-length secret keys because I ran into them in practice. Some equipment didn't allow for the entry of a secret key. I requested that such keys be forbidden by the WG. 1 byte passwords aren't much better than zero-length passwords. But zero-length passwords should be forbidden (IMHO). Recommending a minimum length is a SHOULD. Allowing zero-length passwords could be taken to mean that it is permitted to *omit* the password entirely. That should be forbidden in no uncertain terms. Alan DeKok. _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
