Password set/change error reporting

[Nicolas Williams]

On Fri, Apr 04, 2003 at 12:20:46PM -0600, Paul W. Nelson wrote:
> Just would like to get some feedback on this idea to see if it is
> reasonable:
> 
> Currently, the version 2 draft proposes a single error code to handle policy
> issues:
> 
> >      KRB5_KPASSWD_POLICY_REJECT      8 new cleartext password fails
> >                                        policy; the result string
> >                                        should include a text
> >                                        message to be presented to
> >                                        the user.
> Returning a string (current method) is OK, but makes it very difficult for
> writing internationalized/localized software.  The person changing the
> password might be using Japanese as their language, and the kdc/kpasswd
> server might be serving a multi-lingual community.

Please see the early draft I posted to the IETF KRB WG list on March
17th, 2003.  I've tried to make sure it is properly internationalized.

> I would like to see the version 2 draft specify extended error codes that
> enumerate common reasons for a password change failing.  Here are some of
> the codes I would like to see:
>  
>     a) Password too short
>     b) Password not complex enough
>     c) Password cant be changed yet (too soon)
>     d) Password was used previously
> Others??

No, none of these is needed.

New password quality checks can be invented, but since these are
passwords it's always a user that must be told what was wrong with the
password, so what we need is for the server to tell, via a [UTF-8]
string, the user, in a language spoken (er, read) by the user, what was
wrong with the user's new password.

> BTW:  What is the status of this draft?  It looks like it has expired.

It's expired and I'm now the editor for it.  I only have to fix
formatting and fill in a bit more text and check to make sure that the
text is fully consistent.

Cheers,

Nico
--