From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <00c001c40977$dfcdc820$67844051@SOMA>
From: "boyd, rounin" <boyd@insultant.net>
To: <9fans@cse.psu.edu>
References: <76cc93f6db46e7ad7bd84bceb250ba14@collyer.net> <004b01c40813$bb9261b0$df756f51@ntlworld.com> <200403141640.00154.ncj@mcs.vuw.ac.nz>
Subject: Re: [9fans] cryptographic signatures & factotum
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Date: Sun, 14 Mar 2004 04:53:08 +0100
Topicbox-Message-UUID: 2e15e9f2-eacd-11e9-9e20-41e7f4b1d025

> You should also include a time stamp to prevent replay attacks. Suppose
you
> send [command, time, SHA1(command, secret, time)] to your work computer.

you mean a 'nonce'.  time is a really bad choice.

however, the SecureID cards used time, and it was explained to me
that they did it in a clever/secure way by mjr.