Re: Interest in a push-based two-factor auth standard?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote:

> What we are discussing goes beyond two factor auth. If you have a cell
> phone with a device specific signature key, it can sign the response which
> means that you automatically collect up a non repudiable audit log of the
> user's actions. This is beyond anything possible with OTP number sequences
> or USB dongles.

Indeed. I suspect there are a lot of unexplored uses for such a
standard, but haven't explored it fully yet. (Note also that the lack
of deniability could be seen as a positive thing _or_ a negative
thing, depending.)

> ​i am interested and have developed several protocols of this type using
> JSON. My work provides prior art back to 2010 at the very least.

Are there any public references for this work?

I think what makes most sense at this point is for me to draw up a
rough Internet draft and then send it to the Security area and see
what they think the best way forward is. Looking at prior work will
probably aid in the design of such a draft.

Does that seem okay to those who have expressed interest in this?

Cheers!

AJ

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]