[Cryptography-dev] HOTP/TOTP in Cryptography

[Paul Kehrer]

In short: do we want to add HOTP/TOTP support to cryptography?

An issue was filed last night by a developer who would like to add HOTP/TOTP support to the project (tracking issue: https://github.com/pyca/cryptography/issues/588). This led to a discussion in IRC this morning where Donald raised some concerns about what criteria we should have for adding/maintaining constructions under our umbrella (see the link above for his full thoughts).

I would argue that HOTP/TOTP meet the threshold (whatever it is) of noteworthiness for inclusion in the project because they are well-defined, simple protocols that won’t be a maintenance burden and benefit from being inside a well-tested (and trusted?) library. They are also in common use, so we don’t have to be concerned about including code no one would ever use.

The counterargument is well summarized by Donald: "As far as I know HOTP/TOTP do not need anything backend specific and can be completely implemented using the standard library's hashlib. Is there a benefit to using our backends? Is there anything that we'd want to use the backends for at all? (Storing secrets in a HSM?).”

Opinions welcome. :)

-Paul  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140209/29f3c95c/attachment.html>