On Wed, Jul 5, 2017 at 3:12 PM, Peter Saint-Andre <[email protected]> wrote:
> On 7/5/17 2:05 PM, Eric Rescorla wrote: > > Eric Rescorla has entered the following ballot position for > > draft-ietf-precis-7613bis-08: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. > html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-precis-7613bis/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > I agree with jsalowey's point about discouraging raw password > comparison. Can > > you do something about that? > > In version -08 we added the following text: > > 8.2. Password/Passphrase Comparison > > In systems that conform to modern best practices for security, > verification of passwords during authentication will not use the > comparison defined in Section 4.2.3. Instead, because the system > performs cryptographic calculations to verify the password, it will > prepare the password as defined in Section 4.2.1 and enforce the > rules as defined in Section 4.2.2 before performing the relevant > calculations. > OK, I can live with this. -Ekr > > > The use of "false positive" is confusing because positive can either mean > > "accept" or "reject". I would use "false accept" or "false reject" or > some > > other clearer term > > That's a good suggestion - we'll incorporate that change in the > post-IESG revision. > > Peter > > >
_______________________________________________ precis mailing list [email protected] https://www.ietf.org/mailman/listinfo/precis
