Hey Siddharth, Just to be clear, a OTP hardware token is considered a "one-time password device token" not a "Hard token" given SP 800-63, section 6 on page 15. This means that a OTP device can satisfy up to level 3, though a FIPS compliant Hard token would be needed for level 4.
Level 3 also requires two-factor authentication, so OTP plus at least a password or pin. On page 37, it gives the example of a one-time password device combined with a Level 1 password transmitted via TLS. When replying with a NIST level, the OP can only include one value. Thus if 0, 1, 2 and 3 are possible, the OP should decide which level it wishes to respond with. While 3 may be the strongest, there may be situations where you instead want to respond with a lower values. Yes, per the PAPE abstract it does not talk about enrollment or identity proofing. --David On Oct 12, 2007, at 3:36 PM, Bajaj, Siddharth wrote: > > Hi David, > > I have a quick question about the PAPE draft specification. In the > response parameters, you can set a parameter called > 'openid.pape.nist_auth_level' > > There is a section 7.1.2 that describes the paramter and in the last > table the spec maps some of the common authentication technologies to > the NIST levels. > > Now for example, lets take an OTP hardware token, which satisfies the > requirements for Levels 1, 2, and 3. So, should the OP set the > value of > the parameter to the highest level that it satisfies (in this case > 3) or > does the OP individually list all the auth levels it meets (in this > case > <1,2,3>). This is not clear From the table or the spec. Given that the > barcelona interop is coming up, can you clarify. > > Also, the NIST levels typically take into account the authentication > credential as well as id proofing. I'm guessing that for the > purposes of > PAPE we are ignoring the initial ID vetting/id proofing requirements. > Thanks, > > Siddharth > > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
