On Tue, Mar 7, 2017 at 3:37 PM, Alex Jordan <alex@xxxxxxxxxxx> wrote:
On Mon, Mar 06, 2017 at 08:05:11AM -0500, Phillip Hallam-Baker wrote:
> What we are discussing goes beyond two factor auth. If you have a cell
> phone with a device specific signature key, it can sign the response which
> means that you automatically collect up a non repudiable audit log of the
> user's actions. This is beyond anything possible with OTP number sequences
> or USB dongles.
Indeed. I suspect there are a lot of unexplored uses for such a
standard, but haven't explored it fully yet. (Note also that the lack
of deniability could be seen as a positive thing _or_ a negative
thing, depending.)
> i am interested and have developed several protocols of this type using
> JSON. My work provides prior art back to 2010 at the very least.
Are there any public references for this work?
That is not the latest version. There might even be a later published version.
I have code. The reason I have not updated the drafts is that right now I am working on the problem of binding all the user's devices together so that they can respond to a confirmation request from their phone or their watch or any other device(s) they pick. Each device always signs with a unique device key however so the signatures can be tracked back to the device used.
I think what makes most sense at this point is for me to draw up a
rough Internet draft and then send it to the Security area and see
what they think the best way forward is. Looking at prior work will
probably aid in the design of such a draft.
Does that seem okay to those who have expressed interest in this?
Cheers!
AJ