added proposal to caveat the server-side registration warning (#437)

* added proposal to caveat the server-side registration warning * accepted Kevins proposal
cfrg · Dec 14, 2023 · f036cf2 · f036cf2
1 parent ee74a9a
commit f036cf2
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/draft-irtf-cfrg-opaque.md b/draft-irtf-cfrg-opaque.md
@@ -2266,9 +2266,9 @@ offline dictionary attack to recover the original password.
 
 Some applications may require learning the client's password for enforcing password
 rules. Doing so invalidates this important security property of OPAQUE and is
-NOT RECOMMENDED. Applications should move such checks to the client. Note that
-limited checks at the server are possible to implement, e.g., detecting repeated
-passwords upon re-registrations or password change.
+NOT RECOMMENDED, unless it is not possible for applications to move such checks
+to the client. Note that limited checks at the server are possible to implement, e.g.,
+detecting repeated passwords upon re-registrations or password change.
 
 In general, passwords should be selected with sufficient entropy to avoid being susceptible
 to recovery through dictionary attacks, both online and offline.