By analogy, I wasn’t able to find a
statement within the core WSS spec requiring that all conformant WSS
implementations must support any particular token profile so as to ensure universal
interoperability based on that token profile. Therefore, if I understand
correctly, it would appear that the necessary prerequisite for WSS interoperability
between a pair of peers must require support not only for core WSS but also, in
addition, intersecting support for at least one profile. The case of support
for particular OTP methods below the WSS-OTP profile seems comparable, at a
lower layer; for two given WSS-OTP peers to interoperate, they must have
intersecting support for at least one underlying OTP method.
To clarify, are you seeking (a) definition
within the spec of one or more identifiers for example OTP methods that may be
used by WSS-OTP implementers desiring to interoperate or (b) a requirement that
all conformant WSS-OTP implementations must support one or more specified
methods in order to achieve universal interoperability? If (b), there’s
an apparent need for the specification to identify the required method(s), but
(b) seems inappropriate in the context of a method-neutral framework. If
(a), the need for method identifiers within the spec (vs. being obtained from
independent documents) seems less clear.
--jl
From: Paul Cotton
[mailto:Paul.Cotton@microsoft.com]
Sent: Monday, March 27, 2006 12:37
PM
To: Linn, John; Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP
Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf)
uploaded
The minutes for last week’s meeting
state:
http://lists.oasis-open.org/archives/wss/200603/msg00026.html
>Hal - reasonable to
allow any identifier to be used, but spec should only list those that can be
used. No need for proprietary identifier to be standardized.
>Chris - concern about
references to encumbered algorithms/identifiers.
I don’t think the TC was asking for
all the identifiers to be removed. I agree with Tony that we need
at least one OTP algorithm and identifier in the spec in order to permit
interop testing.
I don’t believe the TC should
standardize a spec with an algorithm extensibility point if we do not do any
interop testing on that extensibility point.
Shouldn’t we leave at least lines
169-171 in the spec and remove lines 172-177?
/paulc
Paul Cotton, Microsoft
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com
From: Linn, John
[mailto:jlinn@rsasecurity.com]
Sent: March 27, 2006 8:21 AM
To: Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP
Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf)
uploaded
It’s also possible to demonstrate
interoperability on a pairwise basis, using any underlying method for which
claimant and verifier sides share common support. I don’t think
it’s necessary for any one method to be supported universally. Note
also: it’s possible that a WSS endpoint receiving a WSS/OTP request can
and will itself be largely method-independent; rather than validating the OTP
value itself, it may instead dispatch it to a separate authentication server
where users’ OTP credentials would be stored and any method-specific
validation would be performed.
--jl
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Sunday, March 26, 2006 10:50
PM
To: Linn, John
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP
Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf)
uploaded
I would think that there should be some OTP algorithm (and identifiers) that
could be agreed upon so that there could be some level of interop
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Linn,
John" <jlinn@rsasecurity.com>
|
"Linn,
John" <jlinn@rsasecurity.com> 03/24/2006 11:48 AM |
|
Lines 137-138
were intended as informative clarification only. They can be deleted without
impacting the surrounding content.
Additionally, in recognition
of the fact that there is no intent for the document to mandate or constrain
the use of particular OTP algorithms, I propose that the current lines 169-178
be replaced with the following text: “This specification does not define
identifiers for specific underlying OTP algorithms with which it may be used.
Values for such identifiers are defined separately, in conjunction with
independent OTP algorithm specifications.”
Given the above changes, it
should also be possible to remove corresponding trademark references within the
Notices section.
Would these proposals suffice
to allay concern about occurrences of trademarks within the document?
--jl
From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 21, 2006 9:19 AM
To: wss@lists.oasis-open.org
Subject: Re: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
Line
133-138 reference a registered trade mark, seems that there are implications of
this in a specification, I'm not sure of the reason why it is referenced.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122