OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Authentication


Under this idea, TAXII would be “HTTPS everywhere”.

 

As an additional point of context (and thank you to the slack channel for educating me on this) the JSON Web Token is similar to how your phone apps do authentication. You type in your username and password once when you want to connect and the app gets a token back, and the app discards your username and password. From then on, the token is refreshed and only under certain conditions (e.g., app reinstall) are you asked to put your username and password in again. Ideally (IMO), if we can apply this concept to TAXII, usernames and passwords will be sent across the wire very infrequently.

 

For me, the proposal is:

 

·         HTTPS everywhere

·         HTTPS + HTTP Basic + JWT is mandatory

·         Extension point for additional authentication factors (the design of this is TBD)

 

Once we get an authentication concept in rough agreement on the list, I think we’ll have enough things worked out that we can start making interoperable prototypes.

 

Are there any comments on the proposed authentication design?

 

Thank you.

-Mark

 

From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Tuesday, October 06, 2015 12:52 PM
To: cti-taxii@lists.oasis-open.org
Subject: [cti-taxii] Authentication

 

We have had some discussion on the Slack channel over the past week about authentication and I mentioned at the end of last week that I would like to move that forward.  

 

It has been proposed on the Slack channel that we use HTTP Basic with JWT (JSON Web Tokens) for the mandatory authentication in TAXII 2.0 with an extension point that is some how discoverable to allow for multi-factor authentication.  

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]