|
In section 5, the wording "If the provided oldPasswd value cannot be
verified or is incorrect, the server SHALL NOT change the user password."
implies that if the oldPassword value is not provided, this clause may be
ignored. If this is true (and I hope it is), I'd like to see a
stronger indication of the server behavior when the oldPasswd value is not
provided.
I'd prefer if the draft stated that if the oldPasswd value is not present,
the server MAY use other policy to determine whether the password is changed.
This is typically be due to the currently authenticated identity having
sufficient access permissions to change the specified user's password (such as a
supervisor).
On a lesser note:
There are redundancies in Section 5, second paragraph, and Section 6,
first paragraph.
Jim
|