>I think everyone can agree that typing passwords over the Internet is
>not a good idea and one-time passwords are a good solution. S/Key may
>be ugly :-) but it works for me.
Suspect public key encryption (something like PGP) might be the answer but
will need an automating mechanism. Consider the following: I try to telnet
in. The requested host (firewall, gateway - can put at level 2 or 3) checks
for my public key - if found, it generates a random ASCII sequence, encrypts
with my public key and fires it back. I receive, decrypt with my secret key
and return the result. With proper applications programming, all I would ever
need to do is to enter my passphraise at the start of a session, everything
else could be automatic.
Could even use for full session encryption - by the fact that you can
communicate at all, authentication is made.
True we have the problem of key exchange but there are several means for that.
Might even be able to use DSS - fed certainly wants to. Point is that there
are numerous potential solutions waiting to be applied. Certainly wish I
had the time to develop some.
From: Bob Snyder <snyderra @