On Mon, Jun 04, 2007 at 03:15:40PM -0700, Henry B. Hotz wrote: > IMO the interesting technical problem w.r.t. OTP is how you create > intra-kdc state so a password can't be sniffed and re-used with a > different KDC. You need to do this in a way that does not degrade > the robustness of the service.
I thought the interesting problem was how to protect the authentication step given that most OTPs are non-key-generating or, if they do generate keys, they generate weak ones. The problem you mention is the OTP vendor's problem, not the KDC implementor's. Nico --
