Hi, Directory developers,
The purpose of this message is to keep you in the loop about my efforts
w.r.t. "Kerberos SAM." I mentioned this last week, in the thread on
activity in my sandbox, but at this time I would like to make it
slightly more formal, because I heard back from some of the other people
involved in the Kerberos SAM initiative.
As a representative to OATH [1], the "initiative for Open
AuTHentication," I was asked by Siddharth Bajaj, the chair of OATH’s
Technology Working Group, to help drive the addition of 2-factor
authentication support to the Kerberos protocol, with a specific goal of
creating an IETF RFC, beginning with some existing work known as
"Kerberos SAM" [2]. SAM stands for "Single-use Authentication
Mechanism" and you can think of it as an update to the acronym OTP, "One
Time Password," expanding the scope of the concept to not be limited
specifically to "passwords." More specifically, OATH would like to see
their HOTP Algorithm supported by Kerberos [3].
Some time ago, prior even to working with OATH, I completed codecs for
the SAM ASN1 structures [4]. At this time, Kerberos SAM is a stalled
draft, so I don't think it should be mainlined with the Kerberos code,
but I do think it would be harmless to move it out of my sandbox to a
module in the trunk.
Incidentally, one of the initial reasons we started looking at OSGi was
to adopt an open standard that would allow us to better support
modularity in ApacheDS, be it to handle the scale of our project or, in
this case, to allow draft support at defined extension points.
Enrique
[1] http://www.openauthentication.org/
[2] http://tools.ietf.org/wg/krb-wg/draft-ietf-krb-wg-kerberos-sam/
[3] http://www.ietf.org/rfc/rfc4226.txt
[4]
https://svn.apache.org/repos/asf/directory/sandbox/erodriguez/kerberos-sam
