[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-toolkit-help] HOTP in HTTP Digest

From: Daniel Pocock
Subject: Re: [OATH-toolkit-help] HOTP in HTTP Digest
Date: Sun, 09 Jan 2011 23:20:02 +0100
User-agent: Mozilla-Thunderbird (X11/20100329)

What do you think if there were a hotp_validate_otp_callback() interface
that took a callback function to implement the 'strcmp' operation?  Then
you could call hotp_validate_otp_callback and provide a function pointer
to your function that generates a HTTP Digest response and comparing it
with what was received by the web server?
I actually had the same idea, although it made me start thinking about an object-oriented rewrite. However, a function pointer is probably all that is needed.

I agree that HTTP Digest is not the most beautiful technology - phpMyID actually creates a session cookie and then stops looking at the digest headers. In a real HTTP digest scenario, the user would be prompted for their token code on every GET request (for every image on the page, for example), so I'm in no hurry to make this into a full Apache module.

Ultimately, the session cookie may then become the weakest point in the chain - so it becomes necessary to use HTTPS for the OpenID server.

Btw, I have implemented TOTP in Git, see how oathtool can now generate
TOTP matching the test vectors.  Will release it soon...

That is good news - I've already been thinking about how dynalogin should allow the sysadmin to `plug and play' these things, and how the dynalogin server will `route' the requests internally from the TCP session to the appropriate auth module.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]