[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] dynalogin, HOTP and SASL
From: |
Simon Josefsson |
Subject: |
Re: [OATH-Toolkit-help] dynalogin, HOTP and SASL |
Date: |
Tue, 13 Mar 2012 15:40:57 +0100 |
User-agent: |
Gnus/5.130003 (Ma Gnus v0.3) Emacs/24.0.94 (gnu/linux) |
Daniel Pocock <address@hidden> writes:
> On 12/03/2012 13:55, Simon Josefsson wrote:
>>
>> Using PLAIN requires no changes on the wire, but I think it will work
>> fairly poorly in practice: most clients cache the password and some even
>> open multiple connections, all based on that cached password. It is
>> likely to lead to many authentication failure problems. A separate SASL
>> mechanism for OTP is likely to lead to better user interfaces in client
>> applications. I actually worked on a specifcation for this a year ago:
>>
>> https://tools.ietf.org/html/draft-josefsson-kitten-crotp-00
>
> I agree with those comments, and I came across your draft after sending
> the email to the list, it is very close to what I had in mind
Great. Exim recently got GNU SASL support in a development branch, so
it could be used for testing in a more real-world environment. I'm
looking at getting a test environment for that up and running to be able
to test new SASL mechanisms more easily...
>> What do you think? My lack of further work in this area has mostly been
>> because of limited feedback and deployment opportunitites. If you have
>> have some users that could beta test something like this, that would
>> help.
>
> I'm approaching it from a different angle: I just want to make dynalogin
> into a form that works for one or two purposes (e.g. OpenID is working,
> and SASL, RADIUS or PAM would not be too hard), get it into some of the
> main Linux distributions, and then see the response from people who
> deploy it
>
> That is why I asked you about having liboath in Debian at the very
> beginning, and having modularisation and callbacks so that our code
> works together: I think it is a good way to get a lot of users and get
> some practical feedback, the projects will hopefully attract a community
> and people will do stuff with it that neither of us has anticipated
Yep I agree. What do you see should be done here? Implementing CROTP
is a start, but a bit speculative without any real use-case or interest
from actual users. I've been burned before implementing early IETF
drafts (even my own :-)) so I need something to motivate me to work on
it.
/Simon