In reviewing the IANA registrations for this draft, I noticed a design issue that I think the working group needs to discuss more.
>From a strictly schema perspective, the whitespace normalization requirements >for token will likely have implications for usability of passwords that >include spaces on the <pw> and <newPW> elements. That's a problem for >manually constructed messages, so it would be a minor comment. However, that would ignore the fact that use of plaintext passwords is not a good practice. Even if this is merely revising something from RFC 5730 to extend their length (which is fine in isolation), I think that the working group needs to more fully consider. Though it remains common, relying on password-based authentication is generally regarded as a failing; though it might be unavoidable, most authentication systems try to avoid it, or only use passwords as a way to step up to something stronger. Sending passwords in cleartext in protocols is regarded as a serious exposure in most systems. Even passing hashed and salted passwords has risks that mean that is generally avoided where possible. For a protocol of this nature, it seems like alternative methods could be developed. And if passwords are unavoidable for usability reasons I can't see right now, then the CFRG is developing password-based authentication protocols that might be suitable for this. Or there are protocols like OAuth that might allow for delegation. _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
