Transcript OTP-WSS-Token
OTP-WSS-Token
John Linn, RSA Laboratories DRAFT: 24 May 2005
OTP-WSS-Token
• • • • Goal: support OTP-based authentication from claimants to relying parties (RPs) in web service environments XML-encoded
OTP-WSS-Token: Operational Context
• OTP authentication can be integrated with Web Services Security: SOAP Message Security (WSS:SMS) in different ways, such as: — Directly, using the OTPToken type proposed in this draft — Indirectly, using SAML message token with assertion based on OTP authentication — At a stream level, as by using OTP to authenticate WS SecureConversation or SASL • This draft's approach authenticates a single SOAP request, and is particularly suited for stand-alone actions like acquiring login credentials
OTP-WSS-Token: Recent and Potential Changes
• Technical changes in 1-0d2 draft, 8 April 2005 — Namespace now "otps-wst" — No default algorithm identifier • Potential changes to consider — Token identifier change from TokID (XML ID type) to WSS:SMS wsu:Id type to simplify WSS:SMS integration — Further treatment of OTPToken placement and referencing in WSS:SMS environment (see next slide) • To identify OTPToken(s) used for authentication • Possibly to identify OTPToken(s) used to provide key derivation inputs?
Proposals for Referencing OTPTokens in WSS:SMS
• Recommended placement: direct descendant of
— Q: Define a key derivation algorithm within the document?
OTP-WSS-Token: OTPToken Elements
• • • • • • •
All optional except
— Use of other elements may vary for different algorithms and use cases
— e.g., counter for counter-based OTP algorithms
— Q: priority for support within token vs. externally?
— Q: priority for support within token vs. externally?
OTP-WSS-Token: OTPToken Attributes
• TokQual attribute group can identify user's device by user identity (TokUser) and/or serial number (Serial) — Must provide at least one form to construct valid OTPToken • • Optional TokID attribute supports linkage to
OTP-WSS-Token: Exception Cases
• In WSS:SMS context, can indicate authentication failures with SOAP fault and FailedAuthentication value with Fault/Detail entry — If New PIN needed, can contact separate PIN change service, then generate new
OTP-WSS-Token: OTPToken Schema
OTP-WSS-Token: Example OTPToken
OTP-WSS-Token: Next Steps
• • Consensus and stabilization on document content Proceed towards contribution derived from content, likely to OASIS WSS TC?