From cbc12f5d2f344e1dd87874201187dde44d004e56 Mon Sep 17 00:00:00 2001
From: Kevin Lewi <klewi@fb.com>
Date: Mon, 4 Dec 2023 17:39:23 +0100
Subject: [PATCH] Adding note on password change

---
 draft-irtf-cfrg-opaque.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/draft-irtf-cfrg-opaque.md b/draft-irtf-cfrg-opaque.md
index b4e29302..a1bc7681 100644
--- a/draft-irtf-cfrg-opaque.md
+++ b/draft-irtf-cfrg-opaque.md
@@ -1828,6 +1828,11 @@ applications can use to control OPAQUE:
   implement this mitigation SHOULD use the same configuration information (such as
   the oprf_seed) for all clients; see {{preventing-client-enumeration}}. In settings
   where this attack is not a concern, servers may choose to not support this functionality.
+- Handling password changes: In the event of a password change, the client and
+  server can run the offline registration phase using the new password as a
+  fresh instance (ensuring to resample all random values). The resulting
+  registration record can then replace the previous record corresponding to
+  the client's old password registration.
 
 # Implementation Considerations {#implementation-considerations}