Skip to main content

HOTP: An HMAC-Based One-Time Password Algorithm
draft-mraihi-oath-hmac-otp-04

Revision differences

Document history

Date Rev. By Action
2005-06-12
04 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2005-05-31
04 Amy Vezza IESG state changed to Approved-announcement sent
2005-05-31
04 Amy Vezza IESG has approved the document
2005-05-31
04 Amy Vezza Closed "Approve" ballot
2005-05-27
04 Amy Vezza State Changes to Approved-announcement to be sent from IESG Evaluation by Amy Vezza
2005-05-27
04 (System) Removed from agenda for telechat - 2005-05-26
2005-05-26
04 Margaret Cullen [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman
2005-05-26
04 Mark Townsley [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley
2005-05-26
04 Bert Wijnen [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen
2005-05-26
04 Brian Carpenter
[Ballot comment]
Review by Lakshminath Dondeti

Draft is generally ready to move forward as Informational RFC, but needs Editorial fixes before publication.

* Editorial issues: …
[Ballot comment]
Review by Lakshminath Dondeti

Draft is generally ready to move forward as Informational RFC, but needs Editorial fixes before publication.

* Editorial issues:
---------------------

ID-checklist says there shouldn't be a reference in the Abstract (RFC Editor will force this later on).

In Section 3, please replace RFC 2119 with BCP 14, and cite BCP 14.  (I am told RFC #2119 could be ephemeral, but BCP 14 would be long(er)-living).

In Section 4, the paragraph describing "R5" refers to a non-existent Section 8.4.  6.4 is not about resynchronization, Section 6.5 is.

Section 5.3.  Step 3, 2nd line says Snum = StToNum(S)
Q: Since Step 2 is Sbits = DT(HS), shouldn't S above be Sbits?

Section 6:  Shouldn't this section be after the algorithm overview etc?

The sentence preceding Section 6.1 is dangling.  "Other mechanisms should be used to defeat ..."  please complete the sentence.

As I read Section 6, I think perhaps this should be renamed Security requirements.

6.1.  Please rewrite requirement RP1.
P is defined earlier as a protocol implementing HOTP as the authentication method.
RP1 states that "P MUST be two-factor," and goes on to elaborate on the meaning of two-factor.  A protocol cannot be a two-factor though.  (note: Just needs clarifying text).

RP3:  "state of the art" and "usual attacks and risks" tend to mean different things to different people.  Please state what is required.

6.3 Last paragraph: Does HOTP require SSL?  Why can't this be used for client authentication in IPsec RAS connections?  Perhaps a generic term such as secure channel could be used with SSL/TLS and IPsec as examples?

Section 6.6.  Does HSM stand for Hardware security module?  Please expand the first use of HSM.

Section 10.  If the suggestion to rename Section 6 is followed, this could renamed "Security Considerations" with some additional text.
Section 13 has 12.1 and 12.2 as subsections.  Please renumber here and in the ToC.

Note: This review does not include a review of the appendices.  Q: Has this been circulated to the CFRG list?
2005-05-26
04 Brian Carpenter
[Ballot comment]
Lakshminath Dondeti

Draft is generally ready to move forward as Informational RFC, but needs Editorial fixes before publication.

* Editorial issues:
---------------------

ID-checklist …
[Ballot comment]
Lakshminath Dondeti

Draft is generally ready to move forward as Informational RFC, but needs Editorial fixes before publication.

* Editorial issues:
---------------------

ID-checklist says there shouldn't be a reference in the Abstract (RFC Editor will force this later on).

In Section 3, please replace RFC 2119 with BCP 14, and cite BCP 14.  (I am told RFC #2119 could be ephemeral, but BCP 14 would be long(er)-living).

In Section 4, the paragraph describing "R5" refers to a non-existent Section 8.4.  6.4 is not about resynchronization, Section 6.5 is.

Section 5.3.  Step 3, 2nd line says Snum = StToNum(S)
Q: Since Step 2 is Sbits = DT(HS), shouldn't S above be Sbits?

Section 6:  Shouldn't this section be after the algorithm overview etc?

The sentence preceding Section 6.1 is dangling.  "Other mechanisms should be used to defeat ..."  please complete the sentence.

As I read Section 6, I think perhaps this should be renamed Security requirements.

6.1.  Please rewrite requirement RP1.
P is defined earlier as a protocol implementing HOTP as the authentication method.
RP1 states that "P MUST be two-factor," and goes on to elaborate on the meaning of two-factor.  A protocol cannot be a two-factor though.  (note: Just needs clarifying text).

RP3:  "state of the art" and "usual attacks and risks" tend to mean different things to different people.  Please state what is required.

6.3 Last paragraph: Does HOTP require SSL?  Why can't this be used for client authentication in IPsec RAS connections?  Perhaps a generic term such as secure channel could be used with SSL/TLS and IPsec as examples?

Section 6.6.  Does HSM stand for Hardware security module?  Please expand the first use of HSM.

Section 10.  If the suggestion to rename Section 6 is followed, this could renamed "Security Considerations" with some additional text.
Section 13 has 12.1 and 12.2 as subsections.  Please renumber here and in the ToC.

Note: This review does not include a review of the appendices.  Q: Has this been circulated to the CFRG list?
2005-05-26
04 Brian Carpenter [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter
2005-05-26
04 Bill Fenner [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner
2005-05-25
04 David Kessens [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens
2005-05-25
04 Michelle Cotton IANA Comments:
We understand this document to have no IANA Actions.
2005-05-24
04 Ted Hardie [Ballot Position Update] New position, No Objection, has been recorded for Ted Hardie by Ted Hardie
2005-05-24
04 Scott Hollenbeck
[Ballot comment]
Not a discuss since this is an Informational document and these are editorial issues:

There probably shouldn't be a reference in the Abstract. …
[Ballot comment]
Not a discuss since this is an Informational document and these are editorial issues:

There probably shouldn't be a reference in the Abstract.

Please expand the HOTP acronym on first use in Section 1.

Please add cite RFC 2119 in Section 3.
2005-05-24
04 Scott Hollenbeck
[Ballot comment]
Not a discuss since this is an Informational document and these are editorial issues:

There probably shouldn't be a reference in the Abstract. …
[Ballot comment]
Not a discuss since this is an Informational document and these are editorial issues:

There probably shouldn't be a reference in the Abstract.

Please expand the HOTP algorithm on first use in Section 1.

Please add cite RFC 2119 in Section 3.
2005-05-24
04 Scott Hollenbeck [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck
2005-05-19
04 Russ Housley Placed on agenda for telechat - 2005-05-26 by Russ Housley
2005-05-19
04 Russ Housley [Ballot Position Update] New position, Yes, has been recorded for Russ Housley
2005-05-19
04 Russ Housley Ballot has been issued by Russ Housley
2005-05-19
04 Russ Housley Created "Approve" ballot
2005-05-19
04 (System) Ballot writeup text was added
2005-05-19
04 (System) Last call text was added
2005-05-19
04 (System) Ballot approval text was added
2005-05-19
04 Russ Housley State Changes to IESG Evaluation from AD Evaluation::External Party by Russ Housley
2005-05-19
04 (System) New version available: draft-mraihi-oath-hmac-otp-04.txt
2005-04-18
04 Russ Housley State Changes to AD Evaluation::External Party from AD Evaluation by Russ Housley
2005-04-18
04 Russ Housley State Changes to AD Evaluation from Publication Requested by Russ Housley
2005-04-18
04 Russ Housley Draft Added by Russ Housley in state Publication Requested
2005-04-18
03 (System) New version available: draft-mraihi-oath-hmac-otp-03.txt
2005-02-10
02 (System) New version available: draft-mraihi-oath-hmac-otp-02.txt
2004-10-21
01 (System) New version available: draft-mraihi-oath-hmac-otp-01.txt
2004-10-19
00 (System) New version available: draft-mraihi-oath-hmac-otp-00.txt