Hi Simon, > On 29 May 2015, at 21:19, Simon Josefsson <[email protected]> wrote: > > Stephen Farrell <[email protected]> writes: > >> Hiya, >> >>> On 27/05/15 14:06, Alexey Melnikov wrote: >>> Hi Stephen, >>> >>>> On 27/05/2015 13:56, Stephen Farrell wrote: >>>> [...] >>>> ---------------------------------------------------------------------- >>>> DISCUSS: >>>> ---------------------------------------------------------------------- >>>> >>>> >>>> 4.1: zero length password - I think you're wrong on that >>>> one but it is arguable. If RFC4013 also prohibited zero >>>> length passwords (I couldn't tell at a quick glance) >>> Yes, zero length password was always prohibited by RFC 4013. If you look >>> at various RFCs that reference SASLPrep, they say "if the password is >>> invalid or zero length after applying SASLPrep normalization, then >>> reject it" (or similar words). >> >> That wins. I'll clear the discuss and make this a comment. > > I question if this is correct -- my SASLprep implementation accepts zero > length passwords. Where in RFC 4013 is the requirement to reject them?
SASL PLAIN and SCRAM have relevant text (in case of SCRAM, this only applies to usernames, but they are the same SASLPrep profile, so I think the lack of similar text for passwords was not intentional) > > I think Stephen's thoughts around empty passwords makes a lot of sense. > Empty passwords are used in many places, for good or bad. > > I'm certain that not all RFCs that refer to SASLprep has the wording > above. RFC 5802 (SCRAM) doesn't, as far as I can tell, for example. See above. _______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
