[OpenID] OpenID Book draft version available for download - OTP and dumb mode
Peter Williams
pwilliams at rapattoni.com
Sun Jul 29 20:15:43 UTC 2007
This thread of discussion on OTP does raise an interesting, and
"meritocracy" forum issue.
The 20+ year OTP world was of course an offline device. Seq-num or
time-based math cross that devide allowing application in online
authentication. Nowadays of course, we have connected tokens everywhere
- otherwise known as your "phone".
In the SecurID world at least, there has long been a notion that a
connected OTP device can be a kind of signing/authenticating device -
where the device could take a challenge value from the host ... before
computing the OTP. The OTP thus acts a bit like a nonce-influenced hmac.
In the world of OpenID, some interesting possibilities emerge with
connected OTP tokens, particular considering dumb mode over directmode
communications. So what are they, you ask?
If one remove the hmac function from OpenID auth and replaces it with an
OTP-sig, little or nothing changes in the OpenID Auth world ... except
that few consumers will have the means to verify the OTP, being a
proprietary hashing algorithm (usually, bellcore work notwithstanding).
What does dumb mode require of course...? That the signature is sent to
the OP for verification. Perhaps that's where the OTP check gets done,
therefore - by an OP with the necessary wherewithal to verify
(challenge-based) OTPs.
How does one trust that the ok/notok comes from the OP, in dumb mode?
Well. Not that Ive ever seen it asserted this boldy, but I' guessing
that the point of the designers giving one the DH channel - using the
mac's encryption as a data origin authentication service between OP and
Consumer. How one performs the DH public key distribution is ... well, a
matter for further study in OpenID land. Of course, one can rely on SSL,
in which case one might as well just use a DH-ciphersuite of SSL,
suitable HTTP 11 Host headers and discard the OPeniD DH DOA mechanism.
Interesting thought train. Does it improve at all my (admittedly poor)
understanding of OpenID Auth?
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Peter Williams
Sent: Sunday, July 29, 2007 11:01 AM
To: Hans Granqvist; general at openid.net
Subject: Re: [OpenID] OpenID Book draft version available for download
Hans:
Enjoy:-
http://www.rsa.com/node.aspx?id=1313
The underlying OTAR-style (over the air rekey) "provisioning" protocol
is at
http://www1.ietf.org/mail-archive/web/ietf-announce/current/msg03203.htm
l
Rapattoni's major competitor discusses their variant at
http://www.clareitysecurity.com/solutions-safemls-authenticators.cfm
The OpenID assumption still stands, note. An OTP (from some container or
other) allows the human to complete user auth to a IDP. Once that IDP
supports an OP, OpenID Auth converts strong auth claims into a claimset,
along with registration-type attributes.
The release of attributes of any kind is subject to "policy
decision/enforcement point" behavior, depending on the semantics of the
claim-making protocol. (1) OpenID has policy-decision/enforcement
semantics built in. (2) SAML1.x delegates to an XACML-aware binding.
SAML2 uses comsec controls to apply the writer-to-reader doctrine (i.e
encrypt the attributes on the wire, where key management controls
assures that only intendedRecipients can release the cleartext(s))
OTP values from "connected tokens" require more of token-passing
architectures when... as the underlying strong authentication is
"continuous" - the protocol must emulate "continuous token-making" by
some means
For example, See http://www.ietf.org/rfc/rfc4793.txt
-----Original Message-----
From: hans at granqvist.com [mailto:hans at granqvist.com] On Behalf Of Hans
Granqvist
Sent: Sunday, July 29, 2007 10:23 AM
To: general at openid.net
Cc: Peter Williams
Subject: Re: [OpenID] OpenID Book draft version available for download
Hi Peter
> ...
> Realty is already making advanced used of OTPs generated on smartphone
> applets; removing the notion of carrying around multiple little key
fobs.
Do you have pointers to more info?
Thanks,
Hans
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list