View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001706 | 10000-004: Services | public | 2011-08-18 18:57 | 2012-02-09 22:51 | |
| Reporter | Assigned To | Matthias Damm | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 1.01 | ||||
| Fixed in Version | 1.02 | ||||
| Summary | 0001706: Request: Add password requirement for servers supporting username & password | ||||
| Description | The CMPWG call (Aug-18-2011) reviewed a test-case where a username and password are used to establish a session, except the password is empty. We determined that this should consititute an invalid password - a contentious topic we know! We therefore propose including text to require a server supporting username and password to require non-empty passwords. We didn't want to say length > 0, so just length != 0. | ||||
| Tags | No tags attached. | ||||
| Commit Version | |||||
| Fix Due Date | |||||
|
|
If you blindly apply the stated algorithm there should be no issue and no ambiguity since the server nonce is always appended to the data before encryption. If there is an issue it is a implementation problem. The specification should explicitly state that servers must handle an Empty String as a password but some systems will impose their own complexity rules which are out of scope of the specification. In other words, it is not wrong for a server to reject an empty password, however, they can accept it. |
|
|
Added the following clarification to 7.35.3 UserNameIdentityToken Changed in document version OPC UA Part 4 - Services 1.02.06 Draft.doc |
|
|
Discussed in telecon. |
|
|
CMPWG Sep-8-2011 reviewed and agreed with the spec modification. Thanks! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2011-08-18 18:57 |
|
New Issue | |
| 2011-08-23 17:19 | Randy Armstrong | Note Added: 0002846 | |
| 2011-08-23 17:22 | Randy Armstrong | Note Edited: 0002846 | |
| 2011-08-23 17:22 | Randy Armstrong | Status | new => assigned |
| 2011-08-23 17:22 | Randy Armstrong | Assigned To | => Matthias Damm |
| 2011-09-06 17:16 | Matthias Damm | Status | assigned => resolved |
| 2011-09-06 17:16 | Matthias Damm | Resolution | open => fixed |
| 2011-09-06 17:16 | Matthias Damm | Note Added: 0002905 | |
| 2011-09-06 17:32 | Randy Armstrong | Status | resolved => closed |
| 2011-09-06 17:32 | Randy Armstrong | Note Added: 0002907 | |
| 2011-09-08 18:23 |
|
Note Added: 0002927 | |
| 2012-02-09 22:51 | Jim Luth | Fixed in Version | => 1.02 |
