Re: AW: [TLS] OTP-TLS I-D [Was: FW: I-D ACTION:draft-linn-otp-tls-00.txt]

Magnus Nyström <magnus@rsasecurity.com> Mon, 19 June 2006 12:19 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsIjA-0006aZ-7W; Mon, 19 Jun 2006 08:19:36 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FsIj8-0006aU-U5 for tls@ietf.org; Mon, 19 Jun 2006 08:19:34 -0400
Received: from tholian.rsasecurity.com ([216.162.240.129]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FsIj8-00023a-Jk for tls@ietf.org; Mon, 19 Jun 2006 08:19:34 -0400
Received: from hyperion.rsasecurity.com by tholian.rsasecurity.com via smtpd (for stiedprmail1.ietf.org [156.154.16.150]) with ESMTP; Mon, 19 Jun 2006 08:18:36 -0400
Received: from sdtihq24.securid.com (sdtihq24.na.rsa.net [10.100.8.152]) by hyperion.na.rsa.net (MOS 3.7.4b-GA) with ESMTP id CPN14164; Mon, 19 Jun 2006 08:11:17 +0500 (GMT-5)
Received: from rsana-ex-hq1.NA.RSA.NET (rsana-ex-hq1.na.rsa.net [10.100.8.50]) by sdtihq24.securid.com (8.12.10/8.12.9) with ESMTP id k5JC9PDU017773; Mon, 19 Jun 2006 08:09:25 -0400 (EDT)
Received: from rsana-ex-sm1.NA.RSA.NET ([10.80.211.17]) by rsana-ex-hq1.NA.RSA.NET with Microsoft SMTPSVC(6.0.3790.211); Mon, 19 Jun 2006 08:09:25 -0400
Received: from localhost ([10.129.13.11]) by rsana-ex-sm1.NA.RSA.NET with Microsoft SMTPSVC(6.0.3790.211); Mon, 19 Jun 2006 05:09:32 -0700
Date: Mon, 19 Jun 2006 14:09:47 +0200 (W. Europe Daylight Time)
From: =?iso-8859-1?Q?Magnus_Nystr=F6m?= <magnus@rsasecurity.com>
To: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
Subject: Re: AW: [TLS] OTP-TLS I-D [Was: FW: I-D ACTION:draft-linn-otp-tls-00.txt]
In-Reply-To: <A5D2BD54850CCA4AA3B93227205D8A30614F03@MCHP7IEA.ww002.siemens.net>
Message-ID: <Pine.WNT.4.62.0606191355590.5356@CTO-LAPTOP.eu.rsa.net>
References: <A5D2BD54850CCA4AA3B93227205D8A30614F03@MCHP7IEA.ww002.siemens.net>
X-X-Sender: mnystrom@[10.80.211.17]
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="17534373-32636-1150718987=:5356"
X-OriginalArrivalTime: 19 Jun 2006 12:09:33.0024 (UTC) FILETIME=[397A6600:01C69399]
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 1676547e4f33b5e63227e9c02bd359e3
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: magnus@rsasecurity.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Hello Hannes,

Yes, the cited I-D would, if implemented, enable another method of using 
OTPs within TLS - one could do EAP-POTP within the EAP-Message etc. RADIUS 
attributes, encapsulated in the IA phase of TLS-IA.

It seems, however, to complicate deployments quite a lot to introduce a 
requirement for EAP as well as elements of RADIUS and Diameter just to 
support OTPs in TLS now that TLS-PSK exists. And, contrary to what is 
stated in the TLS-IA I-D, TLS-PSK does allow use of a server certificate 
in conjunction with PSKs. We therefore feel that the draft provides some 
advantages over the alternative of using EAP-POTP within TLS-IA.

-- Magnus

On Wed, 14 Jun 2006, Tschofenig, Hannes wrote:

> Since OTP is available via EAP methods it is also possible to use 
> http://www.tschofenig.com/drafts/draft-funk-tls-inner-application-extension-02.txt
>
> This would avoid putting every single EAP method inside the TLS 
> handshake.
>
> Ciao
> Hannes
>
>> -----Ursprüngliche Nachricht-----
>> Von: Linn, John [mailto:jlinn@rsasecurity.com]
>> Gesendet: Mittwoch, 14. Juni 2006 13:17
>> An: tls@ietf.org
>> Cc: Nyström, Magnus
>> Betreff: [TLS] OTP-TLS I-D [Was: FW: I-D
>> ACTION:draft-linn-otp-tls-00.txt]
>>
>> This recent I-D constitutes a profile layered on TLS-PSK,
>> intended to authenticate TLS connections with the general
>> class of One-Time Password (OTP) methods.  We'd like to
>> invite review and comment in the TLS WG.
>>
>> --jl
>>
>> -----Original Message-----
>> From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
>> Sent: Wednesday, June 07, 2006 3:50 PM
>> To: i-d-announce@ietf.org
>> Subject: I-D ACTION:draft-linn-otp-tls-00.txt
>>
>> A New Internet-Draft is available from the on-line
>> Internet-Drafts directories.
>>
>>
>> 	Title		: OTP Methods for TLS
>> 	Author(s)	: J. Linn, M. Nystroem
>> 	Filename	: draft-linn-otp-tls-00.txt
>> 	Pages		: 21
>> 	Date		: 2006-6-7
>>
>> This document describes means for applying One-Time Password (OTP)
>> methods to authenticate Transport Layer Security sessions, operating
>> in conjunction with Pre-Shared Key (PSK) ciphersuites defined for use
>> with TLS.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-linn-otp-tls-00.txt
>>
>> To remove yourself from the I-D Announcement list, send a message to
>> i-d-announce-request@ietf.org with the word unsubscribe in
>> the body of the message.
>> You can also visit
>> https://www1.ietf.org/mailman/listinfo/I-D-announce
>> to change your subscription settings.
>>
>>
>> Internet-Drafts are also available by anonymous FTP. Login
>> with the username
>> "anonymous" and a password of your e-mail address. After logging in,
>> type "cd internet-drafts" and then
>> 	"get draft-linn-otp-tls-00.txt".
>>
>> A list of Internet-Drafts directories can be found in
>> http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>>
>> Internet-Drafts can also be obtained by e-mail.
>>
>> Send a message to:
>> 	mailserv@ietf.org.
>> In the body type:
>> 	"FILE /internet-drafts/draft-linn-otp-tls-00.txt".
>>
>> NOTE:	The mail server at ietf.org can return the document in
>> 	MIME-encoded form by using the "mpack" utility.  To use this
>> 	feature, insert the command "ENCODING mime" before the "FILE"
>> 	command.  To decode the response(s), you will need "munpack" or
>> 	a MIME-compliant mail reader.  Different MIME-compliant
>> mail readers
>> 	exhibit different behavior, especially when dealing with
>> 	"multipart" MIME messages (i.e. documents which have been split
>> 	up into multiple messages), so check your local documentation on
>> 	how to manipulate these messages.
>>
>>
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft.
>>
>
_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls