[RADIATOR] Fwd: [suggestions] draft-mraihi-totp-timebased-06.txt

Sun Oct 17 18:20:43 CDT 2010

Hello Matthew,

thanks for your note and the response from the TOTP authors.

We find it very disappointing that the authors of the draft RFC 'imply' that 
some type of replay detection is required but don't actually specify how it 
is to be done.

We fully expected the authors to add details about replay detection to their 
draft before requesting an RFC.
We believe that this is sufficient cause to object to the RFC, and to require 
that the draft be improved. 

We think that for guaranteed interoperation between clients and authenticators 
(and therfore guaranteed correct operation of your system), this should be 
part of the specification.

Nevertheless, we have added replay detection to AuthBy SQLTOTP, according to 
our view of how it should be done. This has required
an additional column in the sample SQL database schema, and changes to the
default AuthSelect and UpdateQuery parameters. 

The new code is now available in the latest Radiator patch set.
Please let me know how you get on with this.

Cheers.

On Monday 18 October 2010 07:14:52 am Matthew Reeves-Hairs wrote:
> Hi,
>   Please see the email below from the authors of the above draft spec.
>
>   Can you say when this may be included into radiator?
>
> Regards
>
> Matthew
>
> Matthew Reeves-Hairs MBCS
> (CCNA, CCNP, CCDA)
> Director
>
> Willow ICT Limited
> 13 Willow Close
> Great Hormead
> Hertfordshire, SG9 0NW
> Mobile: +44 (0)7912 202627
> Fax: +44 (0)7092 361501
> matthew.reeves-hairs at willowict.com
> http://www.willowict.com
>
> Please consider the environment before printing this email.
>
> The content of this email and any attachment is private and may be
> privileged.  If you are not the intended recipient, any use, disclosure,
> copying or forwarding of this email and/or its attachments is unauthorised.
>  If you have received this email in error please notify the sender by email
> and delete this message and any attachments immediately.  Nothing in this
> email shall bind the Company in any contract or obligation, unless we have
> specifically agreed to be bound.
>
> Sent from my iPad
>
> Begin forwarded message:
> > From: "Bajaj, Siddharth" <SBajaj at verisign.com>
> > Date: 16 October 2010 01:13:02 GMT+01:00
> > To: <matthew.reeves-hairs at willowict.com>
> > Cc: "Pei, Mingliang" <mpei at verisign.com>, "Johan Rydell"
> > <johan.rydell at portwise.com>, "Philip Hoyer" <phoyer at actividentity.com>
> > Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt
> >
> >
> >
> > Hi Matthew,
> >
> > First of all let me apologize for not responding to your inquiry sooner.
> > Thanks for pointing out this gap in the TOTP specification.
> >
> > Even though this is not explicitly stated in the document - by
> > definition OTPs or one-time passwords are meant to be used only once.
> > This is also implied in the discussion in the last paragraph of section
> > 5.2 of the I-D.
> >
> > We are hoping that this I-D is approved as an RFC in next couple of
> > months. If we have an opportunity to add explicit clarifying language to
> > address your concern, we will definitely do that.
> >
> > In the interim, you can refer the vendor to my email and the spec
> > authors.
> >
> > We are also launching the OATH certification program that will require
> > any vendor who claims their product to be 'OATH certified' to be
> > compliant with the certification documents.
> >
> > Thanks,
> >
> > Siddharth
> >
> > -----Original Message-----
> > From: Jason Thompson [mailto:jason at jdthompson.com]
> > Sent: Wednesday, September 22, 2010 4:49 PM
> > To: Bajaj, Siddharth
> > Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt
> >
> >
> > -----Original Message-----
> > From: Matthew.reeves-hairs at willowict.com
> > Sent: Monday, September 20, 2010 8:14 AM
> > To: suggestions at openauthentication.org
> > Subject: [suggestions] draft-mraihi-totp-timebased-06.txt
> >
> > mreeves sent a message using the contact form at
> > http://www.openauthentication.org/contact.
> >
> > Can you advise if the above mentioned document will be amended to fall
> > in
> > line with the certification document as published on this site?
> >
> > I have hit a problem were a supplier of a radius system accepts multiple
> > authentications using the same TOTP, they state that the confirm to the
> > standard quoting the above doc, which makes no mention of only allowing
> > a
> > TOTP to be used one, were the certification doc specifically mentions
> > this.
> >
> > Thanks
> >
> > Matthew Reeves-Hairs
> >
> >
> >
> >
> > --
> > This email was Anti Virus checked by Astaro Security Gateway.
> > http://www.astaro.com for Willow ICT Limited
> >
> > http://www.willowict.com

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.