No - you don't seem to understand. The challenge-response protocol can ask someone for the RSA key fob number this time, their mother's maiden name the next time, their employee number the time after that, and nothing on the fourth occasion. You cannot predict what the extra information requested is going to be - so you can't provide the extra information in the initial connection attempt because you don't know which extra information is going to be needed. That's what provides the security - the unpredictability of the question, so that it is hard to pre-programme the answer.

Ah but you can know in advance! :) You may not know the actual result per instance, but you CAN know the decision process you'll need to go through. Which you can provide as a parameter in the form of a CODE reference. :) i.e. a callback

But that's a minor point and overall I completely agree with your general ideas.

Adam K

Reply via email to