On 27/05/15 16:46, Alexey Melnikov wrote: >> >> NEW >> Note: Some existing systems allow an empty string in places where >> a password would be expected (e.g., command-line tools that might >> be called from an automated script, or servers that might need to >> be restarted without human intervention). From the perspective of >> this document (and RFC 4013 before it), these empty strings are >> not passwords but are workarounds for the practical difficulty of >> using passwords in certain scenarios. The prohibition on zero- >> length passwords is not a recommendation regarding password >> strength (since a password of only one byte is highly insecure), >> but is meant to prevent applications from mistakenly omitting a >> password entirely, since when internationalized characters are >> accepted a non-empty sequence of characters can result in a zero- >> length password after canonicalization. > Yes, this looks great. Thank you!
Same here. That's a fine addition I think. Cheers, S. _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
