[Otpasswd-talk] Today's daily observations (dwa)

[Hannes Beinert]

1. I kind of alluded to it earlier, but you might consider a "brief
usage" message.  Personally, I tend to like to keep console clutter to
a minimum.  So, for example, what if:

     $ otpasswd --help
        [... does what it does now ...]

but,

     $ otpasswd -h
     Usage: otpasswd [options]
                -k, --key     Generate key
                -r, --remove  Remove key
                -i, --info        Display user configuration
                [... blah blah blah ...]
                -h                 Command-line usage summary
                --help            Extended usage summary

Then, for certain UI errors, you could print the more terse usage
summary rather than the long one.

2. I have been thinking...  do you think that printing the key/counter
values with an --info option is a security risk?  I'm wondering if
these values should only be printed for the administrator...  and,
maybe a hash of the key/counter for the user?  That way they could
tell if it was the same key/counter, or a different one, but they
wouldn't have the exact value?  OTOH, not having access to the
key/counter would make it impossible to use an external passcode
generation device.  Hmmm.  How about another option flag, such as
"--secret-key"/"-S" (or, "--exact" / "-X", or...?)  That way it would
print the hash if the optional --secret-key (or whatever) flag wasn't
used.  It would force the user to be deliberate in his choice.  This
is the approach that gpg uses for some "private key" operations...

3. In the state files, you are currently saving FIELD_FLAGS as a %u,
when it's a bit-wise encoded field.  Wouldn't %x or %o be a little
more "obvious"?

As always, I'm hiding in the bushes throwing hand grenades...  ;-)

Hannes.