On Tue, Mar 7, 2017 at 3:37 PM, Alex Jordan <alex(_at_)strugee(_dot_)net> wrote:
On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote:
What we are discussing goes beyond two factor auth. If you have a cell
phone with a device specific signature key, it can sign the response
which
means that you automatically collect up a non repudiable audit log of the
user's actions. This is beyond anything possible with OTP number
sequences
or USB dongles.
Indeed. I suspect there are a lot of unexplored uses for such a
standard, but haven't explored it fully yet. (Note also that the lack
of deniability could be seen as a positive thing _or_ a negative
thing, depending.)
i am interested and have developed several protocols of this type using
JSON. My work provides prior art back to 2010 at the very least.
Are there any public references for this work?
https://tools.ietf.org/id/draft-hallambaker-owcp-00.txt
https://tools.ietf.org/html/draft-hallambaker-sxs-confirm-02
That is not the latest version. There might even be a later published
version.
I have code. The reason I have not updated the drafts is that right now I
am working on the problem of binding all the user's devices together so
that they can respond to a confirmation request from their phone or their
watch or any other device(s) they pick. Each device always signs with a
unique device key however so the signatures can be tracked back to the
device used.
I think what makes most sense at this point is for me to draw up a
rough Internet draft and then send it to the Security area and see
what they think the best way forward is. Looking at prior work will
probably aid in the design of such a draft.
Does that seem okay to those who have expressed interest in this?
Cheers!
AJ