Discussion:
[OAUTH-WG] Review of draft-ietf-oauth-amr-values-01
Hannes Tschofenig
2016-08-03 07:50:31 UTC
Permalink
Hi Mike, Phil, Tony,

I have read through draft-ietf-oauth-amr-values-01. My earlier comments
have been addressed.

As a shepherd I nevertheless have a few questions/remarks:

1) The term 'multiple-channel authentication' is unfamiliar to me.
Could you give me an example or a reference to a specification?

2) PIN: The use of RFC 2119 language appears to be inappropriate.

3) Could you explain me what 'risk-based authentication' is? While you
provided a reference

4) Could we generalize the term 'wia' to operating systems other than
Windows as well?

5) I am not sure whether all normative references indeed need to be
declared as such.
For example, 'otp' is defined in a very generic fashion but you list
HTOP, and TOTP as normative references.
I would rather see HTOP and TOTP as a standardized examples of
one-time-passwords. IMHO the story would be different if you indeed want
to differentiate between the different technical mechanisms itself. This
is a reasonable approach as well if the security differences between the
mechanisms is important for the given application.

Ciao
Hannes
Mike Jones
2016-09-03 00:00:40 UTC
Permalink
Thanks for your review, Hannes. Replies are inline...

-----Original Message-----
From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, August 3, 2016 12:51 AM
To: ***@ietf.org
Subject: [OAUTH-WG] Review of draft-ietf-oauth-amr-values-01

Hi Mike, Phil, Tony,

I have read through draft-ietf-oauth-amr-values-01. My earlier comments have been addressed.

As a shepherd I nevertheless have a few questions/remarks:

1) The term 'multiple-channel authentication' is unfamiliar to me.
Could you give me an example or a reference to a specification?

https://www.ldapwiki.com/wiki/Multiple-channel%20Authentication has a clear explanation. However, I'm reluctant to reference a wiki page that may be transient from an RFC. If anyone out there has a more stable reference to suggest, please do so. Instead, I've added this example text for -02:

For instance, a multiple-channel authentication might involve both entering information into
a workstation's browser and providing information on a telephone call to a pre-registered number.

2) PIN: The use of RFC 2119 language appears to be inappropriate.

Thanks, will be fixed in -02.

3) Could you explain me what 'risk-based authentication' is? While you provided a reference

https://en.wikipedia.org/wiki/Risk-based_authentication has a clear explanation. Bruce Schneier writes about it in a blog post here https://www.schneier.com/blog/archives/2013/11/risk-based_auth.html. Deloitte has a primer at http://deloitte.wsj.com/cio/2013/10/30/risk-based-authentication-a-primer/. There's lots of material on the web and the term is pretty widely known in authentication/identity circles. Unfortunately, as with "mca", I don't know of a great authoritative reference to cite. Any suggestions out there?

4) Could we generalize the term 'wia' to operating systems other than Windows as well?

I don't think so. It consists of a particular set of documented protocol interactions, as describe at http://blogs.msdn.com/b/benjaminperkins/archive/2011/09/14/iis-integrated-windows-authentication-with-negotiate.aspx. That said, because these protocols are publicly documented, other systems (maybe SAMBA?) may have also implemented it.

5) I am not sure whether all normative references indeed need to be declared as such.
For example, 'otp' is defined in a very generic fashion but you list HTOP, and TOTP as normative references.
I would rather see HTOP and TOTP as a standardized examples of one-time-passwords. IMHO the story would be different if you indeed want to differentiate between the different technical mechanisms itself. This is a reasonable approach as well if the security differences between the mechanisms is important for the given application.

If use cases arise in which applications want to define additional "amr" values "hotp" and/or "totp", they can use the registry established by this application to do so. It's explicitly not a goal of this specification to define all practical values. Rather, it defines a few values that are actually in production use and even more importantly, establishes the registry for defining more, as needed in practice.

Ciao
Hannes


Thanks again,
-- Mike
Hannes Tschofenig
2016-09-09 06:32:09 UTC
Permalink
Hi Mike,

thanks for the response. I am fine with your explanations.

Ciao
Hannes
Post by Mike Jones
Thanks for your review, Hannes. Replies are inline...
-----Original Message-----
Sent: Wednesday, August 3, 2016 12:51 AM
Subject: [OAUTH-WG] Review of draft-ietf-oauth-amr-values-01
Hi Mike, Phil, Tony,
I have read through draft-ietf-oauth-amr-values-01. My earlier comments have been addressed.
1) The term 'multiple-channel authentication' is unfamiliar to me.
Could you give me an example or a reference to a specification?
For instance, a multiple-channel authentication might involve both entering information into
a workstation's browser and providing information on a telephone call to a pre-registered number.
2) PIN: The use of RFC 2119 language appears to be inappropriate.
Thanks, will be fixed in -02.
3) Could you explain me what 'risk-based authentication' is? While you provided a reference
https://en.wikipedia.org/wiki/Risk-based_authentication has a clear explanation. Bruce Schneier writes about it in a blog post here https://www.schneier.com/blog/archives/2013/11/risk-based_auth.html. Deloitte has a primer at http://deloitte.wsj.com/cio/2013/10/30/risk-based-authentication-a-primer/. There's lots of material on the web and the term is pretty widely known in authentication/identity circles. Unfortunately, as with "mca", I don't know of a great authoritative reference to cite. Any suggestions out there?
4) Could we generalize the term 'wia' to operating systems other than Windows as well?
I don't think so. It consists of a particular set of documented protocol interactions, as describe at http://blogs.msdn.com/b/benjaminperkins/archive/2011/09/14/iis-integrated-windows-authentication-with-negotiate.aspx. That said, because these protocols are publicly documented, other systems (maybe SAMBA?) may have also implemented it.
5) I am not sure whether all normative references indeed need to be declared as such.
For example, 'otp' is defined in a very generic fashion but you list HTOP, and TOTP as normative references.
I would rather see HTOP and TOTP as a standardized examples of one-time-passwords. IMHO the story would be different if you indeed want to differentiate between the different technical mechanisms itself. This is a reasonable approach as well if the security differences between the mechanisms is important for the given application.
If use cases arise in which applications want to define additional "amr" values "hotp" and/or "totp", they can use the registry established by this application to do so. It's explicitly not a goal of this specification to define all practical values. Rather, it defines a few values that are actually in production use and even more importantly, establishes the registry for defining more, as needed in practice.
Ciao
Hannes
Thanks again,
-- Mike
Loading...