RFC 2243 (rfc2243) - Page 3 of 10

OTP Extended Responses

Alternative Format: Original Text Document


RFC 2243                 OTP Extended Responses            November 1997


   An example of an extended challenge indicating support for OTP
   extended responses and for a mythical response set "foo" is:

      otp-md5 123 mi1234 ext,foo

   An example of an extended response using a mythical type named "foo"
   is:

      foo:some data:some more data:12345

2.2. Requirements

   A server compliant with this specification:

      1. MUST be able to receive and parse the general form of an
         extended response
      2. MUST be able to receive, parse, and correctly process all
         extended responses specified in this document
      3. MUST process the type field in a case-insensitive manner
      4. MUST reject any authentication attempt using an extended
         response if it does not support that type of response
      5. SHOULD provide an appropriate indication to the generator
         if the response was rejected because of (4)
      6. MUST limit the length of the input reasonably
      7. MUST accept otherwise arbitrary amounts of whitespace
         wherever a response allows it
      8. MUST be able to receive and correctly process standard OTP
         responses

   A generator compliant with this specification:

      1. MUST be able to generate standard OTP responses
      2. MUST use standard responses unless an extended challenge
         has been received for the particular server AND seed
      3. MUST generate the type field in lower case
      4. MUST NOT send a response type for which the server has not
         indicated support through an extended challenge

   Extension set identifiers and extension type identifiers named with
   the prefix "x-" are reserved for private use among mutually
   consenting implementations. Implementations that do not recognise a
   particular "x-" extension MUST ignore that extension. This means that
   all "x-" extensions are likely to be non-interoperable with other
   extensions. Careful consideration should be given to the possibility
   of a server interacting with with a generator implementation which,
   although it recognizes a given "x-" extension, uses it for a
   different purpose. All of the remaining extension namespace is
   reserved to IANA, which will only officially assign the extension



Metz                        Standards Track

Web Standards & Support: