On Fri, Dec 20, 2019, at 11:47, Gould, James wrote:
> The EPP RFC 5731 does support the explicit <domain:null> element to
> remove the authorization information, so there is an explicit mechanism
> available in the RFC to set the authorization information to NULL (the
> undefined value).
Yes, I know, and this exactly outlines why an absent node is not the same
thing as a node with an empty value.
Said differently,
<domain:authInfo><domain:pw/></domain:authInfo> is an existing authInfo whose
value is the empty string
where
<domain:authInfo><domain:null/></domain:authInfo> means an undefined authInfo
(so could be any value).
> Where there is no explicit element in the EPP RFCs to indicate not
> setting or unsetting the authorization information, the empty
> authorization information can be used for this purpose in a defined
> practice, such as draft-gould-regext-secure-authinfo-transfer.
As you know, I am not convinced this is the best course for the future,
nor that it really fits the working group. But that is just me.
> Having discussion and agreement around the authorization information
> practice would help with the inconsistencies that you outlined in your
> follow-on message, and help increase the authorization information
> security.
I remain in another side: other solutions, instead of passwords, should be
found.
Continuing to use passwords when other (better) solutions exist is not an effort
I find useful.
--
Patrick Mevzek
[email protected]
_______________________________________________
regext mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/regext
