Re: [OATH-Toolkit-help] dynalogin, HOTP and SASL

[Daniel Pocock]

On 12/03/2012 13:55, Simon Josefsson wrote:
>
> Using PLAIN requires no changes on the wire, but I think it will work
> fairly poorly in practice: most clients cache the password and some even
> open multiple connections, all based on that cached password.  It is
> likely to lead to many authentication failure problems.  A separate SASL
> mechanism for OTP is likely to lead to better user interfaces in client
> applications.  I actually worked on a specifcation for this a year ago:
>
> https://tools.ietf.org/html/draft-josefsson-kitten-crotp-00

I agree with those comments, and I came across your draft after sending
the email to the list, it is very close to what I had in mind

> What do you think?  My lack of further work in this area has mostly been
> because of limited feedback and deployment opportunitites.  If you have
> have some users that could beta test something like this, that would
> help.

I'm approaching it from a different angle: I just want to make dynalogin
into a form that works for one or two purposes (e.g. OpenID is working,
and SASL, RADIUS or PAM would not be too hard), get it into some of the
main Linux distributions, and then see the response from people who
deploy it

That is why I asked you about having liboath in Debian at the very
beginning, and having modularisation and callbacks so that our code
works together: I think it is a good way to get a lot of users and get
some practical feedback, the projects will hopefully attract a community
and people will do stuff with it that neither of us has anticipated