by redmail.netbsd.org with SMTP; 1 Feb 2000 13:03:19 -0000
          by poptart.corp.home.net (Netscape Messaging Server 3.54)
           with ESMTP id AAA53F6; Tue, 1 Feb 2000 05:03:13 -0800
Message-Id: <4.2.0.58.20000201080319.00962460@avarice.inner.net>
Date: Tue, 01 Feb 2000 08:04:36 +0000
To: Erik Fair <security-officer@netbsd.org>
From: RJ Atkinson <rja@inet.org>
Subject: Re: [harikiri@ATTRITION.ORG: S/Key & OPIE Database
  Vulnerability]
Cc: Andrew Brown <atatat@atatdot.net>,tech-security@netbsd.org
In-Reply-To: <v04220801b4b9a9cb09b5@[204.179.128.134]>
References: <20000124175648.A13877@noc.untraceable.net>
 <20000124175648.A13877@noc.untraceable.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

At 08:42 30-01-00 , Erik Fair wrote:

>This is the first time I've heard of this, however, as you point out, NetBSD is A.O.K.

I don't think folks understand how S/KEY, OTP, and OPIE work.
Nothing that is terribly sensitive is ever kept on any disk --
this is part of the fundamental design of the OTP system.

I've suggested cmetz send out a clarifying note with regards
to OPIE and OTP; I'm not sure if he will do so.

Ran