RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-s

The minutes for last week’s meeting state:

http://lists.oasis-open.org/archives/wss/200603/msg00026.html

>Hal - reasonable to allow any identifier to be used, but spec should only list those that can be used. No need for proprietary identifier to be standardized.

>Chris - concern about references to encumbered algorithms/identifiers.

I don’t think the TC was asking for all the identifiers to be removed. I agree with Tony that we need at least one OTP algorithm and identifier in the spec in order to permit interop testing.

I don’t believe the TC should standardize a spec with an algorithm extensibility point if we do not do any interop testing on that extensibility point.

Shouldn’t we leave at least lines 169-171 in the spec and remove lines 172-177?

/paulc

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com

From: Linn, John [mailto:jlinn@rsasecurity.com]
Sent: March 27, 2006 8:21 AM
To: Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

It’s also possible to demonstrate interoperability on a pairwise basis, using any underlying method for which claimant and verifier sides share common support. I don’t think it’s necessary for any one method to be supported universally. Note also: it’s possible that a WSS endpoint receiving a WSS/OTP request can and will itself be largely method-independent; rather than validating the OTP value itself, it may instead dispatch it to a separate authentication server where users’ OTP credentials would be stored and any method-specific validation would be performed.

--jl

From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Sunday, March 26, 2006 10:50 PM
To: Linn, John
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

I would think that there should be some OTP algorithm (and identifiers) that could be agreed upon so that there could be some level of interop

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Linn, John" <jlinn@rsasecurity.com>

"Linn, John" <jlinn@rsasecurity.com>

03/24/2006 11:48 AM

Anthony Nadalin/Austin/IBM@IBMUS, <wss@lists.oasis-open.org>

Subject

RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

Lines 137-138 were intended as informative clarification only. They can be deleted without impacting the surrounding content.

Additionally, in recognition of the fact that there is no intent for the document to mandate or constrain the use of particular OTP algorithms, I propose that the current lines 169-178 be replaced with the following text: “This specification does not define identifiers for specific underlying OTP algorithms with which it may be used. Values for such identifiers are defined separately, in conjunction with independent OTP algorithm specifications.”

Given the above changes, it should also be possible to remove corresponding trademark references within the Notices section.

Would these proposals suffice to allay concern about occurrences of trademarks within the document?

--jl

From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 21, 2006 9:19 AM
To: wss@lists.oasis-open.org
Subject: Re: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

Line 133-138 reference a registered trade mark, seems that there are implications of this in a specification, I'm not sure of the reason why it is referenced.

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122

wss message