Hi, In thinking about decreasing the minimum from 8 to 1, I have a concern that we're going to support a minimum that is below the existing RFC 5730 of 6 characters. I believe it would be best for the Login Security Extension to at least support the existing 6 character minimum with the added language that Scott proposed “Servers SHOULD enforce minimum and maximum password length requirements that are appropriate for their operating environment. One example of a guideline for password length policies can be found in <blah blah> [reference here]". Scott's language can be added to the Security Considerations section of the draft.
Let me know if this will work. Thanks, — JG James Gould Distinguished Engineer [email protected] 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/11/18, 10:00 AM, "Gould, James" <[email protected]> wrote: Scott & Gavin, Thanks for weighing in. I can make Scott's proposed text and schema change with the appropriate <blah blah>. Thanks Patrick for bringing up the topic. — JG James Gould Distinguished Engineer [email protected] 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 6/11/18, 9:55 AM, "regext on behalf of Gavin Brown" <[email protected] on behalf of [email protected]> wrote: +1. On 11/06/2018 14:49, Patrick Mevzek wrote: > On Mon, Jun 11, 2018, at 15:17, Hollenbeck, Scott wrote: >> [SAH] Jim, keep in mind that the security guidelines you mentioned are >> just that – *guidelines* published by a particular entity that may or >> may not be appropriate for use in different operating environments. I’d >> be inclined to loosen the Schema to conform to other possibilities and >> include an informational reference with text along the lines of “Servers >> SHOULD enforce minimum and maximum password length requirements that are >> appropriate for their operating environment. One example of a guideline >> for password length policies can be found in <blah blah> [reference >> here]”. A minimum length of 1 would ensure that the field can’t be >> blank, and the server can check if whatever is provided lines up with >> expectations for clients. > > That sound perfect to me. Thanks Scott for the text. > -- Gavin Brown Chief Technology Officer CentralNic Group plc (LSE:CNIC) Innovative, Reliable and Flexible Registry Services for ccTLD, gTLD and private domain name registries https://www.centralnic.com/ +44.7548243029 CentralNic Group plc is a company registered in England and Wales with company number 8576358. Registered Offices: 35-39 Moorgate, London, EC2R 6AR. _______________________________________________ regext mailing list [email protected] https://www.ietf.org/mailman/listinfo/regext
