On 5/27/15 10:06 AM, Stephen Farrell wrote:
On 27/05/15 16:46, Alexey Melnikov wrote:
NEW
Note: Some existing systems allow an empty string in places where
a password would be expected (e.g., command-line tools that might
be called from an automated script, or servers that might need to
be restarted without human intervention). From the perspective of
this document (and RFC 4013 before it), these empty strings are
not passwords but are workarounds for the practical difficulty of
using passwords in certain scenarios. The prohibition on zero-
length passwords is not a recommendation regarding password
strength (since a password of only one byte is highly insecure),
but is meant to prevent applications from mistakenly omitting a
password entirely, since when internationalized characters are
accepted a non-empty sequence of characters can result in a zero-
length password after canonicalization.
Yes, this looks great. Thank you!
Same here. That's a fine addition I think.
OK, we'll submit a revised I-D after the telechat.
Peter
--
Peter Saint-Andre
https://andyet.com/
_______________________________________________
precis mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/precis
