Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!mit-eddie!ll-xn!cit-vax!ucla-cs!zen!ucbvax!IBM.COM!PERSHNG
From: PERSHNG@IBM.COM (John Pershing)
Newsgroups: comp.protocols.tcp-ip
Subject: (none)
Message-ID: <090987.094643.PERSHNG@ibm.com>
Date: Wed, 9-Sep-87 10:26:44 EDT
Article-I.D.: ibm.090987.094643.PERSHNG
Posted: Wed Sep  9 10:26:44 1987
Date-Received: Fri, 11-Sep-87 01:41:07 EDT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 16

I don't understand why one should trust "subverted local software" to
handle your *current* password, yet not trust it to set a *new* password.
(Note that the current password has to be provided before the new one can
be set.)

The scheme the Chris Markle proposes for setting new passwords makes
perfect sense to someone who is familiar with the normal IBM access
control procedures.  (Actually, the *original* scheme makes *more* sense,
except that the perpetrators of FTP don't seem to understand the
necessity of periodic password changes.)  However, the GROUP() parameter
on the PASS command seems a bit strange -- wouldn't it "look better" on
the USER command, without echo-suppression?

      John A. Pershing Jr.
      IBM T. J. Watson Research Center
      Yorktown Heights, NY  10598