Re: [OATH-toolkit-help] HOTP in HTTP Digest

[Daniel Pocock]

> What do you think if there were a hotp_validate_otp_callback() interface
> that took a callback function to implement the 'strcmp' operation?  Then
> you could call hotp_validate_otp_callback and provide a function pointer
> to your function that generates a HTTP Digest response and comparing it
> with what was received by the web server?
>   
I actually had the same idea, although it made me start thinking about 
an object-oriented rewrite.  However, a function pointer is probably all 
that is needed.

I agree that HTTP Digest is not the most beautiful technology - phpMyID 
actually creates a session cookie and then stops looking at the digest 
headers.  In a real HTTP digest scenario, the user would be prompted for 
their token code on every GET request (for every image on the page, for 
example), so I'm in no hurry to make this into a full Apache module.

Ultimately, the session cookie may then become the weakest point in the 
chain - so it becomes necessary to use HTTPS for the OpenID server.
> Btw, I have implemented TOTP in Git, see how oathtool can now generate
> TOTP matching the test vectors.  Will release it soon...
>   

That is good news - I've already been thinking about how dynalogin 
should allow the sysadmin to `plug and play' these things, and how the 
dynalogin server will `route' the requests internally from the TCP 
session to the appropriate auth module.