On 01/31/2013 04:34 AM, Petr Spacek wrote:
> On 30.1.2013 05:35, Dmitri Pal wrote:
>> Hello,
>> We started to shape a page for the OTP prototyping work we are doing.
>> It is work in progress but it has enough information to share and
>> discuss.
>> http://freeipa.org/page/V3/OTP
>> Comments welcome!
> I gave it a quick look. Generally, the core seems correct to me. I
> have only nitpicks:
> I see big amount of new ipa* specific attributes.
> How other OTP solutions store tokens/configuration? Is there any
> standard/semi-standard LDAP schema with attributes describing tokens?

No. Not that we are aware of.
> MIT KDC has own ("native") LDAP driver. 
Which they do not like and do not want to do more with it.
We effectively wrote our own.
> It would be nice to coordinate OID allocation and schema definition
> with MIT and share as much attributes as possible. Do they plan to
> support OTP configuration in LDAP? (I don't see any note about LDAP
> support in http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .)

They do not plan. And we do not plan to extend the driver. This is the
reason for the current design.
> Is the author of
> https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
> aware of our effort?
No I need to reach out to him.

> What about re-using http://www.dynalogin.org/ server for TOTP/HOTP
> implementation (rather than writing own OTP-in-389 implementation)? I
> haven't looked to the dynalogin code ...

The TOTP/HOTP algorithm is very simple there is really no much to reuse.
> Could be (old) draft "SASL and GSS-API Mechanism for Two Factor
> Authentication based on a Password and a One-Time Password (OTP):
> CROTP" from
> http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting
> for us (in future)? Is it worth to resurrect this effort?
Not sure. We will see.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to