Thanks for your review, Hannes. Replies are inline... -----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Hannes Tschofenig Sent: Wednesday, August 3, 2016 12:51 AM To: oauth@ietf.org Subject: [OAUTH-WG] Review of draft-ietf-oauth-amr-values-01
Hi Mike, Phil, Tony, I have read through draft-ietf-oauth-amr-values-01. My earlier comments have been addressed. As a shepherd I nevertheless have a few questions/remarks: 1) The term 'multiple-channel authentication' is unfamiliar to me. Could you give me an example or a reference to a specification? https://www.ldapwiki.com/wiki/Multiple-channel%20Authentication has a clear explanation. However, I'm reluctant to reference a wiki page that may be transient from an RFC. If anyone out there has a more stable reference to suggest, please do so. Instead, I've added this example text for -02: For instance, a multiple-channel authentication might involve both entering information into a workstation's browser and providing information on a telephone call to a pre-registered number. 2) PIN: The use of RFC 2119 language appears to be inappropriate. Thanks, will be fixed in -02. 3) Could you explain me what 'risk-based authentication' is? While you provided a reference https://en.wikipedia.org/wiki/Risk-based_authentication has a clear explanation. Bruce Schneier writes about it in a blog post here https://www.schneier.com/blog/archives/2013/11/risk-based_auth.html. Deloitte has a primer at http://deloitte.wsj.com/cio/2013/10/30/risk-based-authentication-a-primer/. There's lots of material on the web and the term is pretty widely known in authentication/identity circles. Unfortunately, as with "mca", I don't know of a great authoritative reference to cite. Any suggestions out there? 4) Could we generalize the term 'wia' to operating systems other than Windows as well? I don't think so. It consists of a particular set of documented protocol interactions, as describe at http://blogs.msdn.com/b/benjaminperkins/archive/2011/09/14/iis-integrated-windows-authentication-with-negotiate.aspx. That said, because these protocols are publicly documented, other systems (maybe SAMBA?) may have also implemented it. 5) I am not sure whether all normative references indeed need to be declared as such. For example, 'otp' is defined in a very generic fashion but you list HTOP, and TOTP as normative references. I would rather see HTOP and TOTP as a standardized examples of one-time-passwords. IMHO the story would be different if you indeed want to differentiate between the different technical mechanisms itself. This is a reasonable approach as well if the security differences between the mechanisms is important for the given application. If use cases arise in which applications want to define additional "amr" values "hotp" and/or "totp", they can use the registry established by this application to do so. It's explicitly not a goal of this specification to define all practical values. Rather, it defines a few values that are actually in production use and even more importantly, establishes the registry for defining more, as needed in practice. Ciao Hannes Thanks again, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
