From: regext <regext-boun...@ietf.org> On Behalf Of Gould, James Sent: Monday, June 11, 2018 9:01 AM To: Patrick Mevzek <p...@dotandco.com>; regext@ietf.org Subject: [EXTERNAL] Re: [regext] FW: New Version Notification for draft-gould-regext-login-security-00.txt
It was 6 before and apparently we "need" to upgrade to 8 now. I am quite sure than in 5 years we would want to increase 8 to 10 and so on, this is purely Moore's law. So to ease future maintenance I am just saying: remove this arbitrary limit in the protocol, since it is a policy decision anyway. Are there any other thoughts on inclusion of a minimum of 8 characters for the password in draft-gould-regext-login-security versus specifying no minimum and leaving the minimum up to server policy? My preference is to meet the existing security guidelines by specifying the minimum of 8 characters and Patrick’s preference is to remove the minimum. Any other thoughts on this is greatly appreciated. [SAH] Jim, keep in mind that the security guidelines you mentioned are just that – *guidelines* published by a particular entity that may or may not be appropriate for use in different operating environments. I’d be inclined to loosen the Schema to conform to other possibilities and include an informational reference with text along the lines of “Servers SHOULD enforce minimum and maximum password length requirements that are appropriate for their operating environment. One example of a guideline for password length policies can be found in <blah blah> [reference here]”. A minimum length of 1 would ensure that the field can’t be blank, and the server can check if whatever is provided lines up with expectations for clients. Scott
_______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext