oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] dynalogin, HOTP and SASL

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] dynalogin, HOTP and SASL
Date: Tue, 13 Mar 2012 15:40:57 +0100
User-agent: Gnus/5.130003 (Ma Gnus v0.3) Emacs/24.0.94 (gnu/linux) 
Daniel Pocock <address@hidden> writes:

> On 12/03/2012 13:55, Simon Josefsson wrote:
>>
>> Using PLAIN requires no changes on the wire, but I think it will work
>> fairly poorly in practice: most clients cache the password and some even
>> open multiple connections, all based on that cached password.  It is
>> likely to lead to many authentication failure problems.  A separate SASL
>> mechanism for OTP is likely to lead to better user interfaces in client
>> applications.  I actually worked on a specifcation for this a year ago:
>>
>> https://tools.ietf.org/html/draft-josefsson-kitten-crotp-00
>
> I agree with those comments, and I came across your draft after sending
> the email to the list, it is very close to what I had in mind

Great.  Exim recently got GNU SASL support in a development branch, so
it could be used for testing in a more real-world environment.  I'm
looking at getting a test environment for that up and running to be able
to test new SASL mechanisms more easily...

>> What do you think?  My lack of further work in this area has mostly been
>> because of limited feedback and deployment opportunitites.  If you have
>> have some users that could beta test something like this, that would
>> help.
>
> I'm approaching it from a different angle: I just want to make dynalogin
> into a form that works for one or two purposes (e.g. OpenID is working,
> and SASL, RADIUS or PAM would not be too hard), get it into some of the
> main Linux distributions, and then see the response from people who
> deploy it
>
> That is why I asked you about having liboath in Debian at the very
> beginning, and having modularisation and callbacks so that our code
> works together: I think it is a good way to get a lot of users and get
> some practical feedback, the projects will hopefully attract a community
> and people will do stuff with it that neither of us has anticipated

Yep I agree.  What do you see should be done here?  Implementing CROTP
is a start, but a bit speculative without any real use-case or interest
from actual users.  I've been burned before implementing early IETF
drafts (even my own :-)) so I need something to motivate me to work on
it.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]