On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote: > The key ideas are: > ================== > * the username, password and OTP are not sent in the same request (otherwise, if > $attacker intercept this request, $it has all the info at once) What kind of attacker is able to only intercept this one request, but cannot intercept the second request as well? This assumed threat seems to lead to more complexity which might allow for more errors without an obvious gain in security from what I can see. Regards Till _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
