* Volodya <Volodya at WhenGendarmeSleeps.org> [2007-03-06 05:44:35]: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Matthew Toseland wrote: > > I don't understand why a password and IP address is easier than a > > one-time reference. I suppose it has the advantage of being able to > > write it down - but for it to be secure it would need to be a one-time > > password; you'd need to generate a new one every time ... > > > > Hmmm. Maybe we should provide both mechanisms? > > One thing that might be done is not having an increadibly secure password > protection (just > secure enough), but when somebody adds themselves via password they get added > in the > disabled mode, then the person tells you "It asks me to tell you to enable > me" and you do > so. If somebody intersepts the password in between and uses it, the second > person will get > a request to inform you that password has been used already, so you just go > and delete the > bugger who used it. > > In other words: Bring security away from the machine and to the person. > > - Volodya >
So far a node is *passive* and won't react upon reception of any unknown data. If we want to tell the user that the password has already been used, we would need to change that behaviour :/ I'm not sure it's a good idea. NextGen$
