Scott, I'll take a shot at adding some text to the Security Considerations section for this. — JG
James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 1/11/19, 1:52 PM, "Hollenbeck, Scott" <shollenbeck=40verisign....@dmarc.ietf.org> wrote: > And maybe provide some advice about downgrade, what about the >following chain of events: > - change of password using loginsec:newPW for a long password > - but then change back to short password using pure newPW without the >loginSec part. > > Allowed? Recommended? > >JG - Yes, it would be allowed by the extension, but may not be allowed by >server policy. The <loginSec:newPW> element is only required if the new >password is longer than the RFC 5730 maximum of 16 characters. The same >holds true for the <loginSec:pw> element. I recommend that the client >increase instead of decrease the strength of the passwords, but there is >nothing in the extension that would disallow it. Jim, that sounds like it's worth addressing in the Security Considerations section of the document. _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
