IETF Logo Mail Archive

Re: Interest in a push-based two-factor auth standard?

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 08 March 2017 02:02 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFE95129400 for <ietf@ietfa.amsl.com>; Tue, 7 Mar 2017 18:02:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.369
X-Spam-Level:
X-Spam-Status: No, score=-2.369 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.229, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGXXsnGBXyqU for <ietf@ietfa.amsl.com>; Tue, 7 Mar 2017 18:02:51 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9B6120724 for <ietf@ietf.org>; Tue, 7 Mar 2017 18:02:50 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id y76so38986372qkb.0 for <ietf@ietf.org>; Tue, 07 Mar 2017 18:02:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zkHMoVIgm3eYahKLRQiExv4R3LjAyTh7yORCJCmfB2A=; b=Qu1VAG6QbOclvvC3u/4q1jazFzAyrX7HFuYvxOhE1j/t2C8eL4GlyRXhkGSo28LQQJ kSHXPl/h8rMoHOO2lXgC5oCwSH25uA1DcEjv8Q2YdZc/dQuyQ8onIy0kRp0zMTrlW52N AxLOxa7qklC3833rCPwJcZhUw82uowRIP/7Lkzw/nMDPhg04ByQTBrIu/ri3BrJOJ6Jk l2me22akXURqRGTOo5REG3B2UHhPHKzIzxAV9/YSgrFf8hMJwV3zcVzIMouSTofVdupL HiwuiizKQ0k2e0uV6yjvP7DySzqRsZn0nS4gZRihEEQlaOEVTLxX3Xb63f1u3qpeoDBS hk+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zkHMoVIgm3eYahKLRQiExv4R3LjAyTh7yORCJCmfB2A=; b=KEQluMdHPf1E5vVhiQe0rEv+do59NUfcP/M/jeLmOM+R6zVOufl4QEOUV9HGySQ/NC tWJh8Lhl3Wg15il6B51U5YVUtRdzlverpeB/XtWedR8Uk1CB7Qdyc906AeUBXVa1T+q+ vmrptzohPvvvdnj7VCh5PxBkyJCXyRxbn3PpWuLmg8eHCvdU5DfINBIVlNH7H/sx+DzE v4gfuP17s7S52lwok9wgL24lQDK9mhVjERxIP2DBa2rt/RekWvtAgNNuYnVjWZnjiPbL u+0k8PIhgHq7miV8yiB9o6iaOC/nKmD5mIjHEQsiH7lpIVseRvdPoGZihNjeW2LVGWzM WzVg==
X-Gm-Message-State: AMke39k37qy/KTkL6xtPLVifEY4xRqCuU9PhhdZkDt0NQ4Nj3fvKwfdWJCBWTUlpywqDimV5U5d2EZyfXTBUKQ==
X-Received: by 10.129.172.25 with SMTP id k25mr778699ywh.165.1488938570011; Tue, 07 Mar 2017 18:02:50 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.83.19.20 with HTTP; Tue, 7 Mar 2017 18:02:49 -0800 (PST)
In-Reply-To: <20170307203719.GB6276@Alexs-MacBook-Pro>
References: <20170302055128.GJ12470@Alexs-MacBook-Pro> <CAMm+Lwg_kAtYUGivYSF5ZzF5nfywS4rzYG88UEzxgjRL2_=83Q@mail.gmail.com> <20170307203719.GB6276@Alexs-MacBook-Pro>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 07 Mar 2017 21:02:49 -0500
X-Google-Sender-Auth: KPYmqouI3porXark02WyLWXJEHc
Message-ID: <CAMm+LwjxRiUofiDo3UoPYfJPy=QSCze99bq+6xcUj6HfV7yheg@mail.gmail.com>
Subject: Re: Interest in a push-based two-factor auth standard?
To: Alex Jordan <alex@strugee.net>
Content-Type: multipart/alternative; boundary="94eb2c1badfc8edf05054a2e86f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/9c2HPkchGbScuNb7zP94J-ficQA>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 02:02:53 -0000

On Tue, Mar 7, 2017 at 3:37 PM, Alex Jordan <alex@strugee.net> wrote:

> On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote:
>
> > What we are discussing goes beyond two factor auth. If you have a cell
> > phone with a device specific signature key, it can sign the response
> which
> > means that you automatically collect up a non repudiable audit log of the
> > user's actions. This is beyond anything possible with OTP number
> sequences
> > or USB dongles.
>
> Indeed. I suspect there are a lot of unexplored uses for such a
> standard, but haven't explored it fully yet. (Note also that the lack
> of deniability could be seen as a positive thing _or_ a negative
> thing, depending.)
>
> > ​i am interested and have developed several protocols of this type using
> > JSON. My work provides prior art back to 2010 at the very least.
>
> Are there any public references for this work?
>

https://tools.ietf.org/id/draft-hallambaker-owcp-00.txt
https://tools.ietf.org/html/draft-hallambaker-sxs-confirm-02

​That is not the latest version.​ There might even be a later published
version.

I have code. The reason I have not updated the drafts is that right now I
am working on the problem of binding all the user's devices together so
that they can respond to a confirmation request from their phone or their
watch or any other device(s) they pick. Each device always signs with a
unique device key however so the signatures can be tracked back to the
device used.





> I think what makes most sense at this point is for me to draw up a
> rough Internet draft and then send it to the Security area and see
> what they think the best way forward is. Looking at prior work will
> probably aid in the design of such a draft.
>
> Does that seem okay to those who have expressed interest in this?
>
> Cheers!
>
> AJ
>

v2.23.0 | Report a Bug | By Email