One Time Password Authentication (otp)

This Working Group did not meet

NOTE: This charter is a snapshot of the 54th IETF Meeting in Yokohama, Japan. It may now be out-of-date.

Last Modifield: 07/31/2001

Chair(s):
Neil Haller <nmh@research.telcordia.com>
Ran Atkinson <rja@extremenetworks.com>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Steve Bellovin <smb@research.att.com>
Security Area Advisor:
Jeffrey Schiller <jis@mit.edu>
Mailing Lists:
General Discussion: ietf-otp@research.telcordia.com
To Subscribe: ietf-otp-request@research.telcordia.com
Archive: ftp://ftp.research.telcordia.com/pub/ietf-otp/archive
Description of Working Group:
One form of attack on computing systems connected to the Internet is eavesdropping on network connections to obtain login id's and passwords of legitimate users [RFC 1704]. Bellcore's S/KEY(TM) one-time password system was designed to counter this type of attack, called a replay attack [RFC 1760]. Several one-time password implementations compatible with Bellcore's S/KEY (TM) system exist. These implementations are increasingly widely deployed in the Internet to protect against passive attacks.

The object of this working group is to write a standards track RFC for one-time password technology, using the technology in the Bellcore S/KEY system and related interoperable packages (e.g., logdaemon, NRL OPIE) as the basis for the group's effort. The standards-track RFC will enhance multi-vendor interoperability in one-time password authentication technologies and thereby help reduce security risks in the Internet.

General authentication servers are outside the scope of this working group. The ``S/Key-0'' system being considered for use in Kerberos is outside the scope of this working group.

The standards-track specification will describe how this one-time password technology can be used with at least the MD4, MD5, and SHA algorithms. The standard one-time password dictionary from RFC 1760 will be reused in order to maintain backwards compatibility with the various deployed systems, however, support for hexadecimal format passwords will also be mandatory to implement. The standard might specify passphrase quality checks for the secret passphrase. The standard will be specified so as to eliminate any possible conflict with the Bellcore trademark on the term ``S/Key.''

An Informational RFC might also be issued that describes conventions for the UNIX commands relating to one-time passwords, including command(s) to securely update a remote one-time password.

Goals and Milestones:
Done  Reach agreement on required and optional attributes.
Done  Produce Internet-Draft specifying the IETF one-time password authentication technology.
Done  Final review (Working Group Last Call) of the Internet-Draft.
Done  Submit One-Time Password document to IESG for consideration as a Proposed Standard.
Done  Submit Internet-Draft on optional extensions to OTP.
Done  Submit Internet-Draft on OTP optional Extensions to IESG for consideration of publication as an RFC.
No Current Internet-Drafts
Request For Comments:
RFCStatusTitle
RFC1938 PS A One-Time Password System
RFC2243 PS OTP Extended Responses
RFC2289 DS A One-Time Password System
RFC2444 PS The One-Time-Password SASL Mechanism

Current Meeting Report

None received.

Slides

None received.