The RSA/OTPS document
in question does not specify a particular OTP method, but instead proposes a
method-independent profile that can be used to apply a variety of OTP methods
along with WSS. In essence, therefore, its scope is comparable to that of
the proposed work item; along with other inputs, we would hope that it would
contribute relevant work which would be useful in constructing the anticipated
deliverable.
For reference, the
document is available at ftp://ftp.rsasecurity.com/pub/otps/wss-token/wss-token-v1-0.pdf.
I don’t anticipate that further technical changes would take place before a TC
submission, though some frontmatter and administrative revisions may be
made. WRT IPR, the document states as follows (within Appendix B,
Notices):
“RSA Security does not make any
claims on the general constructions described in this document. The RSA
SecurID technology implementations of time-based mode authenticator token
devices, and related validation processing components, are covered by a number
of US patents (and foreign counterparts), in particular US Patent Nos.
4,885,778; 4,856,062; 5,097,505; 5,168,520 and 5,657,388. Additional
patents are pending. As this specification can be implemented without the use of
time-based mode authentication technology, it is RSA Security’s position that
the technology covered by these patents and applications is not required to
implement this specification.”
Further, we are not
currently aware of any IP claims which others may make which would affect the
general constructions as described in this document, but have requested that
OTPS participants who have been involved in review and comment on its
predecessor drafts inform us of any such claims.
--jl
From: Anthony
Nadalin [mailto:drsecure@us.ibm.com]
Sent: Wednesday, September 28, 2005 4:05
PM
To: Kelvin
Lawrence
Cc: Linn, John;
wss@lists.oasis-open.org
Subject: Re: [wss] Revised WSS OTP-Token
proposal
Its
still confusing as its states that "RSA Security proposes to submit a version of
this document as
"input to the WSS TC" yet as discussed it was indicated that
this effort is not about a single technology, so I would assume that the
document would be not input but referenced, much like PKI, Kerberos etc. Also if
RSA plans to really submit the document as input what would be the IPR terms ?
Same goes to Verisign ?
Anthony Nadalin | Work
512.838.0085 | Cell 512.289.4122
Kelvin
Lawrence/Austin/IBM@IBMUS
Kelvin
Lawrence/Austin/IBM@IBMUS
09/27/2005 05:39
PM |
To |
"Linn, John"
<jlinn@rsasecurity.com>
|
cc |
wss@lists.oasis-open.org
|
Subject |
Re: [wss] Revised
WSS OTP-Token proposal
|
|
John and Hans, thank you for
taking the time to update and re-post your proposal.
TC Members, Now
that we have a modified proposal in front of us what do people think?
I
would very much like to see some discussion here so that we can be effective on
the call on Tuesday.
Thanks to those of you that have already posted
your views
Cheers
Kelvin
"Linn, John"
<jlinn@rsasecurity.com> wrote on 09/27/2005 10:48:05
AM:
> Following last week's discussion, we'd like to
offer the following
> revised version of the OTP-Token proposal for
consideration by the TC:
>
> RSA Security and VeriSign would
like to propose a new work item for the
> WSS TC, defining a WSS profile
for use of One-Time Password (OTP)
> authentication. The
intended goal is to accommodate a broad range of
> OTP technologies within the WSS
framework. While conceptually similar
> to the existing UsernameToken
profile, this profile would support
> transport of OTP-related
ancillary information (e.g., PINs, challenges,
> counters, device and algorithm
identifiers) in conjunction with
> authentication requests in
order to provide comprehensive support for
> OTP methods within the WSS/SOAP
environment.
>
> We anticipate that the profile
will accommodate OTP methods including
> (but not limited to) OATH HOTP,
RACF PassTickets, RSA SecurID(r)
> authenticator token devices,
and other candidates that may be identified
> within the TC. While IPR claims
may apply to underlying OTP methods that
> the profile may support, the
proposers intend that the constructions to
> be defined in the profile
itself be unencumbered.
>
> This profile would be
functionally comparable to other profiles
defined
> within the WSS TC, so we believe it is
appropriate to standardize within
> the same forum. We
propose that this activity be undertaken as a
> general TC work item,
comparable to other profiles addressed by the
TC,
> rather than within a distinct subcommittee. It
is not the proposers'
> intent that this work item be incorporated into
WSS 1.1, or that it
> delay TC progress on that release.
>
> We anticipate that existing and
related work will be available as input
> for this task. The
One-Time Password Specifications (OTPS,
> http://www.rsasecurity.com/rsalabs/otps)
> initiative, coordinated by RSA Security, has
produced an OTP-WSS-Token
> specification which has evolved in response to
public review and
> comment. RSA Security proposes to submit a
version of this document as
> input to the WSS TC.
>
> VeriSign, in conjunction with
the Open Authentication initiative (OATH,
> http://www.openauthentication.org)
is also producing work related to an
> OTP token profile. We
anticipate that versions of these input
documents
> will be ready for OASIS submission by or during
October 2005. We propose
> that the results of these efforts, along with
any other inputs which may
> be received through the OASIS process, be
harmonized under WSS TC
> auspices.
>
>
> John Linn, RSA
Security
> Hans Granqvist,
VeriSign
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe from this mail
list, you must leave the OASIS TC that
> generates this mail. You
may a link to this group and all your TCs in
OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>