On Thu, Aug 07, 2014 at 11:44:03PM +0200, Till Maas wrote: > On Thu, Aug 07, 2014 at 05:33:38PM +0200, Pierre-Yves Chibon wrote: > > > The key ideas are: > > ================== > > > * the username, password and OTP are not sent in the same request (otherwise, if > > $attacker intercept this request, $it has all the info at once) > > What kind of attacker is able to only intercept this one request, but > cannot intercept the second request as well? This assumed threat seems > to lead to more complexity which might allow for more errors without an > obvious gain in security from what I can see. So I just discussed this with Kanarip again. The idea is to decouple the username/password from the OTP so that if you have 10 requests at the same time, then it's harder for the MITM to correlate which OTP refers to which username/password sent before. To do the two requests and still have the correlation on the server side which OTP belongs to which username/password, Kanarip had two propositions: - Keep the connection open and send the second requests - Provide to back from username/password a one time token that will be returned with the OTP On the other side, Kanarip did say it's all a matter of compromise and we just need to make a tradeoff on what we want and which risk we're ready to take. Pierre _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
