OTP, deployability.

[Russ Allbery]

"Roland C. Dowdeswell" <elric at imrryr.org> writes:

> 	5.  3rd party vendor code frequently expects to do a PLAIN
> 	    auth against LDAP to validate user passwds.  Maybe some
> 	    internally developed software simply queries LDAP.

I'll second this.  We have this problem with our VPN infrastructure and
were already starting to think about how we could hack around the
limitation to use OTP.  (The evil plan we currently have was to put up a
new LDAP server for the VPN authentications that uses back_ldap and a
custom saslauthd to take apart the password into a password and OTP
component and assemble the authentication separately, then package it back
to the VPN infrastructure as if it were a password bind.)

> 	6.  web browsers on iPhones, iPads, blackberries, etc. can't
> 	    do Kerberos and likely connect to one or more systems that
> 	    are likely to have the assumption that user+pass is the
> 	    structure of authentication.

Client-side certificates tied to a principal that isn't the user's basic
principal but instead is a principal scoped to that device that can be
separately revoked seem to be the way to go here.  The user really wants
to just authenticate their phone, not themselves using their phone, for
most things the user does (even if they don't realize that).

That still leaves open the problem that, as you say, applications expect a
username-password, but I wonder if you couldn't use the certificate on the
phone and another app to generate the password that the application can
use and then cut and paste it into the application.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>