On Wed, Nov 13, 2019, at 15:13, Hollenbeck, Scott wrote: > I don't think that local storage of sensitive information, such as > passwords, is a *protocol* issue per se. It does make sense to note > that it's a bad idea to do that in the Security Considerations sections > of RFCs where passwords are exchanged as part of a protocol > interaction, but it's not an interoperability issue. An even better > idea is to recommend "better" practices in those Security > Considerations sections.
It is not a protocol issue per se, but if the protocol is so designed that they are definitively not exchanged as plain text (even over a transport protecting them), then it becomes not an issue anymore at all, as there is no more sensitive information to deal with. One stone, two birds. Remember that the first step to secure information is just making sure you handle as little sensitive information as needed, and then secure the rest. Having clear text passwords at the protocol level is definitively not a MUST for the protocol to work correctly, the protocol could work with other ways to authenticate, eliminating the sensitive part of the information exchanged. -- Patrick Mevzek p...@dotandco.com _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
