The RSA/OTPS document in question does not
specify a particular OTP method, but instead proposes a method-independent profile
that can be used to apply a variety of OTP methods along with WSS. In
essence, therefore, its scope is comparable to that of the proposed work item;
along with other inputs, we would hope that it would contribute relevant work
which would be useful in constructing the anticipated deliverable.
For reference, the document is available
at ftp://ftp.rsasecurity.com/pub/otps/wss-token/wss-token-v1-0.pdf.
I don’t anticipate that further technical changes would take place before
a TC submission, though some frontmatter and administrative revisions may be
made. WRT IPR, the document states as follows (within Appendix B,
Notices):
“RSA Security does not make any claims on the general
constructions described in this document. The RSA SecurID technology implementations
of time-based mode authenticator token devices, and related validation
processing components, are covered by a number of US patents (and foreign
counterparts), in particular US Patent Nos. 4,885,778; 4,856,062; 5,097,505;
5,168,520 and 5,657,388. Additional patents are pending. As this
specification can be implemented without the use of time-based mode
authentication technology, it is RSA Security’s position that the
technology covered by these patents and applications is not required to
implement this specification.”
Further, we are not currently aware of any
IP claims which others may make which would affect the general constructions as
described in this document, but have requested that OTPS participants who have
been involved in review and comment on its predecessor drafts inform us of any
such claims.
--jl
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Wednesday, September 28,
2005 4:05 PM
To: Kelvin Lawrence
Cc: Linn, John;
wss@lists.oasis-open.org
Subject: Re: [wss] Revised WSS
OTP-Token proposal
Its
still confusing as its states that "RSA Security proposes to submit a
version of this document as
"input to the WSS TC" yet as discussed it was indicated that this
effort is not about a single technology, so I would assume that the document
would be not input but referenced, much like PKI, Kerberos etc. Also if RSA
plans to really submit the document as input what would be the IPR terms ? Same
goes to Verisign ?
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
Kelvin
Lawrence/Austin/IBM@IBMUS
|
Kelvin
Lawrence/Austin/IBM@IBMUS 09/27/2005 05:39 PM |
|
John and Hans, thank you for taking the time to update and re-post your
proposal.
TC Members, Now that we have a modified proposal in front of us what do people
think?
I would very much like to see some discussion here so that we can be effective
on the call on Tuesday.
Thanks to those of you that have already posted your views
Cheers
Kelvin
"Linn, John"
<jlinn@rsasecurity.com> wrote on 09/27/2005 10:48:05 AM:
> Following last week's
discussion, we'd like to offer the following
> revised version of
the OTP-Token proposal for consideration by the TC:
>
> RSA Security and
VeriSign would like to propose a new work item for the
> WSS TC, defining a
WSS profile for use of One-Time Password (OTP)
> authentication.
The intended goal is to accommodate a broad range of
> OTP technologies
within the WSS framework. While conceptually similar
> to the existing
UsernameToken profile, this profile would support
> transport of
OTP-related ancillary information (e.g., PINs, challenges,
> counters, device and
algorithm identifiers) in conjunction with
> authentication
requests in order to provide comprehensive support for
> OTP methods within
the WSS/SOAP environment.
>
> We anticipate that
the profile will accommodate OTP methods including
> (but not limited to)
OATH HOTP, RACF PassTickets, RSA SecurID(r)
> authenticator token
devices, and other candidates that may be identified
> within the TC. While
IPR claims may apply to underlying OTP methods that
> the profile may
support, the proposers intend that the constructions to
> be defined in the
profile itself be unencumbered.
>
> This profile would be
functionally comparable to other profiles defined
> within the WSS TC, so
we believe it is appropriate to standardize within
> the same forum.
We propose that this activity be undertaken as a
> general TC work item,
comparable to other profiles addressed by the TC,
> rather than within a
distinct subcommittee. It is not the proposers'
> intent that this work
item be incorporated into WSS 1.1, or that it
> delay TC progress on
that release.
>
> We anticipate that
existing and related work will be available as input
> for this task.
The One-Time Password Specifications (OTPS,
> http://www.rsasecurity.com/rsalabs/otps)
> initiative,
coordinated by RSA Security, has produced an OTP-WSS-Token
> specification which
has evolved in response to public review and
> comment. RSA Security
proposes to submit a version of this document as
> input to the WSS TC.
>
> VeriSign, in
conjunction with the Open Authentication initiative (OATH,
> http://www.openauthentication.org)
is also producing work related to an
> OTP token profile.
We anticipate that versions of these input documents
> will be ready for
OASIS submission by or during October 2005. We propose
> that the results of
these efforts, along with any other inputs which may
> be received through
the OASIS process, be harmonized under WSS TC
> auspices.
>
>
> John Linn, RSA
Security
> Hans Granqvist,
VeriSign
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe from this
mail list, you must leave the OASIS TC that
> generates this mail.
You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>