I have nothing to add. Just letting know I share the same opinion.

-- 
Pieter Vandepitte
Product Expert
+32 16 28 49 70
www.dnsbelgium.be <http://www.dnsbelgium.be>
 

 
 

On 14/06/18 00:45, "regext on behalf of Patrick Mevzek" 
<regext-boun...@ietf.org on behalf of p...@dotandco.com> wrote:

    
    
    On Mon, Jun 11, 2018, at 19:43, Gould, James wrote:
    > In thinking about decreasing the minimum from 8 to 1, I have a concern 
    > that we're going to support a minimum that is below the existing RFC 
    > 5730 of 6 characters.  I believe it would be best for the Login Security 
    > Extension to at least support the existing 6 character minimum with the 
    > added language that Scott proposed “Servers SHOULD enforce minimum and 
    > maximum password length requirements that are appropriate for their 
    > operating environment. One example of a guideline for password length 
    > policies can be found in <blah blah> [reference here]".  Scott's 
    > language can be added to the Security Considerations section of the 
    > draft.
    > 
    > Let me know if this will work.  
    
    I do not oppose that if this is the consensus but I still see it as 
pointless to provide *any* specific minimum limit here, and I do not see the 
problem with going lower than RFC5730 since this extension is optional and, 
hopefully, if it is used it means the relevant registry has decided to put more 
energy and work around security measures so you could hope they would deal with 
this minimum issue gracefully (that is enforcing something higher than 6, and 
not lower, if they do define the space of characters allowed too).
    
    -- 
      Patrick Mevzek
    
    _______________________________________________
    regext mailing list
    regext@ietf.org
    https://www.ietf.org/mailman/listinfo/regext
    

_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext

Reply via email to