-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
> On the bright side, it should be fairly easy to write an OTP calculator

quoted text
> that run on a cell phone

These already exist for J2ME-enabled mobiles (which is most of them?):
http://tanso.net/j2me-otp/

http://otp-j2me.sourceforge.net/
> Systems like OPIE, where the challenge is actually issued to the user

quoted text
> and not just to the user's software, require the user to have access to

> a response calculator, or to carry a sheet of precalculated responses.

There exist apps (i.e., browsers, FTP clients, mailers, etc) that

integrate OPIE and can transparently respond to challenges.  The user just

puts in his password, and he doesn't worry about plaintext or OPIE or

whatever; the app just does the right thing.  Fetch, an FTP client for the

Mac, is one such app.
One could argue that this encourages users to just punch in their password

and not understand if it's going to go over the wire in the clear or be

used to answer a challenge, but it's very useful when you have users who

are incapable of making such distinction in the first place and you just

need to make sure their password is secure for _your_ service.
  -Jason
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (FreeBSD)

Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC

41JZRoD12LhIpG3QK7cfhMU=

=w11K

-----END PGP SIGNATURE-----

_______________________________________________

freebsd-security@freebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-security

To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"