OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

> The paper lists can be replaced by lists of genuinely random data obtained from a natural source of randomness without any effect on any intermediary.

 

Wouldn’t this “genuinely random data” still have to be written down on “paper lists”?  In other words, the genuinely random data doesn’t replace the paper lists, it’s only a way to generate the data on the paper lists, right?

 

&Thomas.

 

From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com]
Sent: Friday, March 31, 2006 8:23 PM
To: Paul Cotton; Linn, John; Anthony Nadalin
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

 

From: Paul Cotton [mailto:Paul.Cotton@microsoft.com]
Sent: Thursday, March 30, 2006 10:08 PM
To: Linn, John; Anthony Nadalin; Hallam-Baker, Phillip
Cc: wss@lists.oasis-open.org
Subject: RE: [wss] Groups - OTP Token Consolidated Input Submission (wss-v1 1-spec-os-OTPTokenProfile.pdf) uploaded

> I think it’s appropriate to have an optional attribute to carry an algorithm identifier. 

 

I continue to believe the algorithm identifier must be mandatory and that the specification must define at least one identifier.

 

Please explain your reasoning.

 

 

The only two locations that have to be aware of the algorithm used are the token itself and the authentication server that verifies it.

 

Both locations can be replaced by paper lists without effect on the intermediary. The paper lists can be replaced by lists of genuinely random data obtained from a natural source of randomness without any effect on any intermediary.

 

There is no way for any intermediary to determine what algorithm is used.

 

The only possible significance an intermediary can attach to the algorithm field is to disambiguate the ID field.

 

> The goal hasn’t been to support only a constrained, specified set of OTP algorithms, but rather to provide a profile with sufficient generality so that it can be applied to a broad range of algorithms.

 

The proposed document states (lines 186-187):

 

“The set of items that occur in a particular OtpToken will depend on the OTP method and profile being used, and on the characteristics of the specific authentication to be processed.”

 

Shouldn’t this specification define what parameters are used for the algorithms defined in the specification?   

No.

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]