RFC Errata
RFC 7643, "System for Cross-domain Identity Management: Core Schema", September 2015
Note: This RFC has been updated by RFC 9865
Source of RFC: scim (sec)See Also: RFC 7643 w/ inline errata
Errata ID: 8450
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Guillaume Winter
Date Reported: 2025-06-05
Verifier Name: Deb Cooley
Date Verified: 2025-10-28
Section 4.1.1. says:
password
This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or
changed by the client, the cleartext password SHOULD be processed
by the service provider as follows:
* Prepare the cleartext value for international language
comparison. See Section 7.8 of [RFC7644].
* Validate the value against server password policy. Note: The
definition and enforcement of password policy are beyond the
scope of this document.
* Ensure that the value is encrypted (e.g., hashed). See
Section 9.2 for acceptable hashing and encryption handling when
storing or persisting for provisioning workflow reasons.
It should say:
password
This attribute is intended to be used as a means to set, replace,
or compare (i.e., filter for equality) a password. The cleartext
value or the hashed value of a password SHALL NOT be returnable by
a service provider. If a service provider holds the value
locally, the value SHOULD be hashed. When a password is set or
changed by the client, the cleartext password SHOULD be processed
by the service provider as follows:
* Prepare the cleartext value for international language
comparison. See Section 7.8 of [RFC7644].
* Validate the value against server password policy. Note: The
definition and enforcement of password policy are beyond the
scope of this document.
* Ensure that the value is hashed or encrypted. See
Section 9.2 for acceptable hashing and encryption handling when
storing or persisting for provisioning workflow reasons.
Notes:
it was confusing that the text stated encrypted (e.g., hashed) .