On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote: > What we are discussing goes beyond two factor auth. If you have a cell > phone with a device specific signature key, it can sign the response which > means that you automatically collect up a non repudiable audit log of the > user's actions. This is beyond anything possible with OTP number sequences > or USB dongles. Indeed. I suspect there are a lot of unexplored uses for such a standard, but haven't explored it fully yet. (Note also that the lack of deniability could be seen as a positive thing _or_ a negative thing, depending.) > i am interested and have developed several protocols of this type using > JSON. My work provides prior art back to 2010 at the very least. Are there any public references for this work? I think what makes most sense at this point is for me to draw up a rough Internet draft and then send it to the Security area and see what they think the best way forward is. Looking at prior work will probably aid in the design of such a draft. Does that seem okay to those who have expressed interest in this? Cheers! AJ
Attachment:
signature.asc
Description: PGP signature