Revised WSS OTP-Token proposal

["Linn, John" <jlinn@rsasecurity.com>]

Following last week's discussion, we'd like to offer the following
revised version of the OTP-Token proposal for consideration by the TC:

RSA Security and VeriSign would like to propose a new work item for the
WSS TC, defining a WSS profile for use of One-Time Password (OTP)
authentication.  The intended goal is to accommodate a broad range of
OTP technologies within the WSS framework.  While conceptually similar
to the existing UsernameToken profile, this profile would support
transport of OTP-related ancillary information (e.g., PINs, challenges,
counters, device and algorithm identifiers) in conjunction with
authentication requests in order to provide comprehensive support for
OTP methods within the WSS/SOAP environment. 

We anticipate that the profile will accommodate OTP methods including
(but not limited to) OATH HOTP, RACF PassTickets, RSA SecurID(r)
authenticator token devices, and other candidates that may be identified
within the TC. While IPR claims may apply to underlying OTP methods that
the profile may support, the proposers intend that the constructions to
be defined in the profile itself be unencumbered. 

This profile would be functionally comparable to other profiles defined
within the WSS TC, so we believe it is appropriate to standardize within
the same forum.  We propose that this activity be undertaken as a
general TC work item, comparable to other profiles addressed by the TC,
rather than within a distinct subcommittee. It is not the proposers'
intent that this work item be incorporated into WSS 1.1, or that it
delay TC progress on that release.  

We anticipate that existing and related work will be available as input
for this task.  The One-Time Password Specifications (OTPS,
http://www.rsasecurity.com/rsalabs/otps) 
initiative, coordinated by RSA Security, has produced an OTP-WSS-Token
specification which has evolved in response to public review and
comment. RSA Security proposes to submit a version of this document as
input to the WSS TC.  

VeriSign, in conjunction with the Open Authentication initiative (OATH,
http://www.openauthentication.org) is also producing work related to an
OTP token profile.  We anticipate that versions of these input documents
will be ready for OASIS submission by or during October 2005. We propose
that the results of these efforts, along with any other inputs which may
be received through the OASIS process, be harmonized under WSS TC
auspices.
 

John Linn, RSA Security
Hans Granqvist, VeriSign