Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)

"Manger, James" <> Thu, 02 February 2017 03:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B4036129620; Wed, 1 Feb 2017 19:33:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SXOwf0oNTs4t; Wed, 1 Feb 2017 19:33:41 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AD8F3126579; Wed, 1 Feb 2017 19:33:39 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.33,323,1477918800"; d="scan'208";a="136163235"
Received: from unknown (HELO ([]) by with ESMTP; 02 Feb 2017 14:33:36 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8426"; a="412181385"
Received: from ([]) by with ESMTP; 02 Feb 2017 14:33:36 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.3.485.1; Thu, 2 Feb 2017 14:33:36 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Thu, 2 Feb 2017 14:33:34 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Thu, 2 Feb 2017 14:33:34 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=P7lQzFJMfC021B80kYGTvSPk8Hmr/kceJAZY6hwue8Q=; b=feu0Rmpb2M5T5pvCBYA8ebLJfnqsomtoa/UxH4DBEdrX7z0kGUmq2mnNQ77g9eUv4a9acfBm2OukxxnCDXLMW8rSjyxqDggliu6Z9soxGDlopP8RcNoHVuAqSrMy2/hkN3OXwwCAf5NLzAw1B4RvYFcrA8P98mQ6B7Esk9zdIwQ=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Thu, 2 Feb 2017 03:33:31 +0000
Received: from ([]) by ([]) with mapi id 15.01.0888.019; Thu, 2 Feb 2017 03:33:31 +0000
From: "Manger, James" <>
To: Mike Jones <>, Stephen Farrell <>, Anthony Nadalin <>, "joel jaeggli" <>, The IESG <>
Thread-Topic: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
Date: Thu, 2 Feb 2017 03:33:31 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-AU, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 9b691198-b185-43dd-f3eb-08d44b1c42cf
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1616;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1616; 7:8UUsW55LlZYBH6NVyAIiUWipPJFJ5it0/VUHuUfnrlljvzhILq0QtoKLIFzvVOXaJAXia1+ZJIvLGeWNva1dF+k8IHCVCr9GG2+73YIhpCFP0D3xeK+SsqYLpR+UrkvHiFN/GyrgEGaiHfUEL4xkBc97E0IOYJfuckvPu1UyCZxnLwDDSMy6uLugfLg2vOP6n1MrCV3wz/o5hbh/PM3OUDdkyzU3CqyHz/wrdhYzegdyVna/mWuZc9GedqZomegsaysYurbNaRb2A+wE+xLtcr0ILLP3NG0oxFSgZlldQo2tK8b4laN9nQwM8/MUEjfckbx9zVnNyjp6qopyIstW29myA4jWyw0JyUjx3Hoix63Cy4JrLIXJD2/gL9MTWsEKIOFBsx3pO/pJUsJ5ymia2bhGIAwIbxZXjtzLy0W+qawsxjRbk6b1SJ3C/vIiym/Hv41elJHLdwh1d591FLqpcgf14R1iPd93dbyEq6oqhhmw2NEXGVFMFq8nJlAzrhSNZEWoEM5Z+lWaOl/GwvyYJcUaKGjXylHojEoksZmeXqLSK0FstRgUg4L4NZKtchOz
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123555025)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(6072148); SRVR:SYXPR01MB1616; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1616;
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(7916002)(39450400003)(199003)(189002)(54356999)(50986999)(2900100001)(8676002)(53936002)(81156014)(68736007)(97736004)(2950100002)(101416001)(92566002)(42882006)(5660300001)(81166006)(8936002)(7696004)(230783001)(551544002)(122556002)(93886004)(5001770100001)(2561002)(33656002)(229853002)(38730400001)(102836003)(3846002)(4326007)(99286003)(6116002)(86362001)(76176999)(106116001)(9686003)(54906002)(55016002)(8666007)(2421001)(6506006)(106356001)(6436002)(3660700001)(7736002)(74316002)(305945005)(3280700002)(2906002)(189998001)(1511001)(77096006)(25786008)(66066001)(105586002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1616;; FPR:; SPF:None; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2017 03:33:31.7684 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1616
Archived-At: <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-amr-values-05: (with DISCUSS)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Feb 2017 03:33:43 -0000

> You can call me lazy if you want.  Some of them are so well known, such as "password" or "PIN" it didn't seem worthwhile to try to track down a reference. 

"password" and "PIN" are so well known, yet curiously they are quite different as "amr" values.
"pwd" is merely defined as "password-based authentication".
But "pin" is not just a short numeric password. The "pin" amr value means authentication uses a (probably device-specific) crypto key that was unlocked with a local PIN or pattern and has defences against repeated guesses.

As a relying party, seeing "pin" means if it is an attacker they needed the user's device and to know their PIN (within a couple of guesses), and there shouldn't be much systemic risk from server-side password DB breaches.
Seeing "pwd" means if it is an attacker they needed to guess the user's password or get it from a password breach. Whether it is was a user-chosen password with zero restrictions and susceptible to dictionary attack, or a 12-char upper+lower+numeric+symbol not-in-common-list changed-monthly not-in-last-20 password, you don't know.

As to the "Specification Document(s)" column in the registry, it would better to leave it blank for those values where the spec provides nothing beyond the Name and Description that are in the registry anyway (such as "iris", "fpt", "geo", iris", "pwd", "retina", "sc", "sms", "tel", "user", "vbm").
In some other cases the only thing in the spec, but not the registry, is a reference to another spec so wouldn't it be better to put that reference in the registry directly. For instance, { kba; Knowledge-based authentication; [NIST.800-63-2] [ISO29115]}. Similarly for "hwk", "rba", "otp", "swk", "wia".

James Manger