On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote:
What we are discussing goes beyond two factor auth. If you have a cell
phone with a device specific signature key, it can sign the response which
means that you automatically collect up a non repudiable audit log of the
user's actions. This is beyond anything possible with OTP number sequences
or USB dongles.
Indeed. I suspect there are a lot of unexplored uses for such a
standard, but haven't explored it fully yet. (Note also that the lack
of deniability could be seen as a positive thing _or_ a negative
thing, depending.)
i am interested and have developed several protocols of this type using
JSON. My work provides prior art back to 2010 at the very least.
Are there any public references for this work?
I think what makes most sense at this point is for me to draw up a
rough Internet draft and then send it to the Security area and see
what they think the best way forward is. Looking at prior work will
probably aid in the design of such a draft.
Does that seem okay to those who have expressed interest in this?
Cheers!
AJ
signature.asc
Description: PGP signature