Re: AW: [TLS] OTP-TLS I-D [Was: FW: I-D ACTION:draft-linn-otp-tls-00.txt]

Hello Hannes,

Yes, the cited I-D would, if implemented, enable another method of using 
OTPs within TLS - one could do EAP-POTP within the EAP-Message etc. RADIUS 
attributes, encapsulated in the IA phase of TLS-IA.

It seems, however, to complicate deployments quite a lot to introduce a 
requirement for EAP as well as elements of RADIUS and Diameter just to 
support OTPs in TLS now that TLS-PSK exists. And, contrary to what is 
stated in the TLS-IA I-D, TLS-PSK does allow use of a server certificate 
in conjunction with PSKs. We therefore feel that the draft provides some 
advantages over the alternative of using EAP-POTP within TLS-IA.

-- Magnus

On Wed, 14 Jun 2006, Tschofenig, Hannes wrote:

> Since OTP is available via EAP methods it is also possible to use 
> http://www.tschofenig.com/drafts/draft-funk-tls-inner-application-extension-02.txt
>
> This would avoid putting every single EAP method inside the TLS 
> handshake.
>
> Ciao
> Hannes
>
>> -----Ursprüngliche Nachricht-----
>> Von: Linn, John [mailto:jlinn@rsasecurity.com]
>> Gesendet: Mittwoch, 14. Juni 2006 13:17
>> An: tls@ietf.org
>> Cc: Nyström, Magnus
>> Betreff: [TLS] OTP-TLS I-D [Was: FW: I-D
>> ACTION:draft-linn-otp-tls-00.txt]
>>
>> This recent I-D constitutes a profile layered on TLS-PSK,
>> intended to authenticate TLS connections with the general
>> class of One-Time Password (OTP) methods.  We'd like to
>> invite review and comment in the TLS WG.
>>
>> --jl
>>
>> -----Original Message-----
>> From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org]
>> Sent: Wednesday, June 07, 2006 3:50 PM
>> To: i-d-announce@ietf.org
>> Subject: I-D ACTION:draft-linn-otp-tls-00.txt
>>
>> A New Internet-Draft is available from the on-line
>> Internet-Drafts directories.
>>
>>
>> 	Title		: OTP Methods for TLS
>> 	Author(s)	: J. Linn, M. Nystroem
>> 	Filename	: draft-linn-otp-tls-00.txt
>> 	Pages		: 21
>> 	Date		: 2006-6-7
>>
>> This document describes means for applying One-Time Password (OTP)
>> methods to authenticate Transport Layer Security sessions, operating
>> in conjunction with Pre-Shared Key (PSK) ciphersuites defined for use
>> with TLS.
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-linn-otp-tls-00.txt
>>
>> To remove yourself from the I-D Announcement list, send a message to
>> i-d-announce-request@ietf.org with the word unsubscribe in
>> the body of the message.
>> You can also visit
>> https://www1.ietf.org/mailman/listinfo/I-D-announce
>> to change your subscription settings.
>>
>>
>> Internet-Drafts are also available by anonymous FTP. Login
>> with the username
>> "anonymous" and a password of your e-mail address. After logging in,
>> type "cd internet-drafts" and then
>> 	"get draft-linn-otp-tls-00.txt".
>>
>> A list of Internet-Drafts directories can be found in
>> http://www.ietf.org/shadow.html
>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>
>>
>> Internet-Drafts can also be obtained by e-mail.
>>
>> Send a message to:
>> 	mailserv@ietf.org.
>> In the body type:
>> 	"FILE /internet-drafts/draft-linn-otp-tls-00.txt".
>>
>> NOTE:	The mail server at ietf.org can return the document in
>> 	MIME-encoded form by using the "mpack" utility.  To use this
>> 	feature, insert the command "ENCODING mime" before the "FILE"
>> 	command.  To decode the response(s), you will need "munpack" or
>> 	a MIME-compliant mail reader.  Different MIME-compliant
>> mail readers
>> 	exhibit different behavior, especially when dealing with
>> 	"multipart" MIME messages (i.e. documents which have been split
>> 	up into multiple messages), so check your local documentation on
>> 	how to manipulate these messages.
>>
>>
>> Below is the data which will enable a MIME compliant mail reader
>> implementation to automatically retrieve the ASCII version of the
>> Internet-Draft.
>>
>