From: Linn, John
[mailto:jlinn@rsasecurity.com]
Sent: March 30, 2006 3:20 PM
To: Anthony Nadalin; Hallam-Baker,
Phillip
Cc: Paul Cotton;
wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP
Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf)
uploaded
I think it’s appropriate to have an
optional attribute to carry an algorithm identifier. Per Tony’s
point, different OTP algorithms and usage modes may imply different sets of
associated parameters besides the OTP value itself. Further, it’s
possible for claimants and/or verifiers to support multiple OTP methods, in
which case the ability to explicitly tag the method in use for a particular
authentication avoids ambiguity for the verifier. In many cases, it’ll
likely be possible to determine the algorithm from other inputs (e.g., based on
the identity of the user being authenticated, or a domain identifier associated
with the OTP device), and the attribute can then be omitted.
I don’t see, however, that the
premise of utility for an algorithm identifier attribute within the protocol
necessarily leads to the conclusion that values for that identifier need to be
part of the specification. The goal hasn’t been to support only a
constrained, specified set of OTP algorithms, but rather to provide a profile
with sufficient generality so that it can be applied to a broad range of
algorithms.
--jl
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Thursday, March 30, 2006
2:08 PM
To: Hallam-Baker, Phillip
Cc: Linn, John; Paul Cotton;
wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP
Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf)
uploaded
I disagree that the algorithm does not need to be
known, as not all OTP implementations are black boxes as you state. One of the
rational for not using the UNT profile is that you had different algorithms and
different input to those algorithms
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hallam-Baker,
Phillip" <pbaker@verisign.com>
"Hallam-Baker,
Phillip" <pbaker@verisign.com>
03/30/2006 12:51 PM
|
To
|
Anthony
Nadalin/Austin/IBM@IBMUS
|
cc
|
"Linn,
John" <jlinn@rsasecurity.com>, "Paul Cotton"
<Paul.Cotton@microsoft.com>, <wss@lists.oasis-open.org>
|
Subject
|
RE: [wss] Groups
- OTP Token Consolidated Input Submission (wss-v1
1-spec-os-OTPTokenProfile.pdf) uploaded
|
|
My point is that there is no need for the algorithm to be known to the
transport at all.
Until
Adam Shostack reverse engineered the original SecureID algorithm nobody knew
what it was. I have no idea which algorithm my OATH or SecureID keys run. It is
logically part of the private key.
Since it
is causing such confusion I suggest we get rid of the attribute entirely. It is
certainly not necessary for the functioning of the specification or for
interoperability.
From: Anthony Nadalin [mailto:drsecure@us.ibm.com]
Sent: Thursday, March 30, 2006 1:37 PM
To: Hallam-Baker, Phillip
Cc: Linn, John; Paul Cotton; wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
I'm not comfortable removing algorithm identifiers, as
if we don't have a given set of algorithm identifiers that we can work with I'm
not sure we have the proper requirements to identify if the algorithm
identifiers will need additional input.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Hallam-Baker, Phillip"
<pbaker@verisign.com>
"Hallam-Baker,
Phillip" <pbaker@verisign.com>
03/30/2006 11:33 AM
|
To
|
"Paul Cotton" <Paul.Cotton@microsoft.com>, "Linn,
John" <jlinn@rsasecurity.com>, Anthony Nadalin/Austin/IBM@IBMUS
|
cc
|
<wss@lists.oasis-open.org>
|
Subject
|
RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1
1-spec-os-OTPTokenProfile.pdf) uploaded
|
|
So you are OK if we simply take out the identifiers completely?
Just to be clear here, the function of the algorithm is to provide a source of
pseudo random or purely random data. The nature of such a function means that
interoperability cannot be dependent on the properties of the algorithm itself.
While the OATH algorithm is certainly implementable under the same terms as the
other WSS specs I don't want to go through any legal issues I don't have to.
The algorithm identifier is already defined in another place.
From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
Sent: Wednesday, March 29, 2006 11:02 AM
To: Hallam-Baker, Phillip; Linn, John; Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
> I do not see the need for the algorithm
to be specified at all.
I think I explained my position on this in [1] in which replied to John’s
reply to my message you replied to. I repeat my position here:
“But I believe we should only include identifiers for OTP methods that:
a) are implementable under the same terms as the other WSS specs and
that
b) the TC has done interop
testing on.”
/paulc
[1] http://lists.oasis-open.org/archives/wss/200603/msg00037.html
Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com
From: Hallam-Baker,
Phillip [mailto:pbaker@verisign.com]
Sent: March 28, 2006 4:23 PM
To: Paul Cotton; Linn, John; Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
I do not see the need for the algorithm to be specified at all.
As far as this protocol is concerned the OTP sequence can be emulated by a
perfectly random sequence. It is a black box as far as the protocol is
concerned. The only point where algorithm interoperation is relevant is between
the device itself and the corresponding authentication service.
If it is causing confusion we can strip out the algorithm identifiers
altogether. The only reason they are in at all is to provide one possible means
of disambiguating the ID namespace.
From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
Sent: Monday, March 27, 2006 12:37 PM
To: Linn, John; Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
The minutes for last week’s meeting state:
http://lists.oasis-open.org/archives/wss/200603/msg00026.html
>Hal - reasonable to allow any identifier to be used, but spec should only
list those that can be used. No need for proprietary identifier to be
standardized.
>Chris - concern about references to encumbered algorithms/identifiers.
I don’t think the TC was asking for all the identifiers to be removed. I
agree with Tony that we need at least one OTP algorithm and identifier in the
spec in order to permit interop testing.
I don’t believe the TC should standardize a spec with an algorithm
extensibility point if we do not do any interop testing on that extensibility
point.
Shouldn’t we leave at least lines 169-171 in the spec and remove lines
172-177?
/paulc
Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com
From: Linn, John [mailto:jlinn@rsasecurity.com]
Sent: March 27, 2006 8:21 AM
To: Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
It’s also possible to demonstrate interoperability on a pairwise basis,
using any underlying method for which claimant and verifier sides share common
support. I don’t think it’s necessary for any one method to be
supported universally. Note also: it’s possible that a WSS endpoint
receiving a WSS/OTP request can and will itself be largely method-independent;
rather than validating the OTP value itself, it may instead dispatch it to a
separate authentication server where users’ OTP credentials would be
stored and any method-specific validation would be performed.
--jl
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Sunday, March 26, 2006 10:50 PM
To: Linn, John
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
I would
think that there should be some OTP algorithm (and identifiers) that could be agreed upon so that there
could be some level of interop
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Linn, John" <jlinn@rsasecurity.com>
"Linn,
John" <jlinn@rsasecurity.com>
03/24/2006 11:48 AM
|
To
|
Anthony Nadalin/Austin/IBM@IBMUS, <wss@lists.oasis-open.org>
|
cc
|
|
Subject
|
RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1
1-spec-os-OTPTokenProfile.pdf) uploaded
|
|
Lines 137-138 were intended as informative clarification only. They can be deleted
without impacting the surrounding content.
Additionally, in recognition of the fact that there is no intent for the
document to mandate or constrain the use of particular OTP algorithms, I
propose that the current lines 169-178 be replaced with the following text:
“This specification does not define identifiers for specific underlying
OTP algorithms with which it may be used. Values for such identifiers are
defined separately, in conjunction with independent OTP algorithm
specifications.”
Given the above changes, it should also be possible to remove corresponding
trademark references within the Notices section.
Would these proposals suffice to allay concern about occurrences of trademarks
within the document?
--jl
From: Anthony Nadalin
[mailto:drsecure@us.ibm.com]
Sent: Tuesday, March 21, 2006 9:19 AM
To: wss@lists.oasis-open.org
Subject: Re: [wss] Groups - OTP Token Consolidated Input Submission
(wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded
Line 133-138
reference a registered trade mark, seems that there are implications of this in
a specification, I'm not sure of the reason why it is referenced.
Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122