Editor's note:  These minutes have not been edited.

Date: Wed, 20 Dec 1995 09:56:18 -0500
From: Neil M Haller <nmh@bellcore.com>
Subject: One-Time Password (OTP) WG  Minutes


IETF 34  -   WG on One-Time Password Authentication

Co-chairs:	Neil Haller (Bellcore)
		Ran Atkinson (NRL)

Mailing List Info:

	General Interest:  ietf-otp@bellcore.com
	[Un]subscribe:     ietf-otp-request@bellcore.com
	Archive:	   ftp.bellcore.com:/pub/ietf-otp/archive


Reported by:	Neil Haller (notes recorded by Antonio Fernandez)


It was announced that the fifth and latest internet draft had been
submitted from the working group to the Area Director of Security,
Jeff Schiller, with the recommendation that it go to "Proposed
Standard".  It was noted that the WG had met this goal before ever
meeting as a working group.

Jeff Schiller summarized the standards process.

  The IETF has three levels of standards documents.  Proposed Standard,
  Draft Standard, and Full Standard.
  
  Proposed Standard requires that the WG come to consensus.  If the
  Area Director approves, the draft is sent out for IETF last call for
  a period of at least two weeks.  The IESG then votes; each member 
  may vote yes, abstain, no objection, or discuss.  To pass, there
  must be at least one yes, 2/3 yes or no objection, and no discuss
  votes.  Jeff does not anticipate any objection to the OTP document
  going through this process.

  Draft Standard requires the passage of time and at least two
  independent implementations must interoperate.  It is a commitment
  not to change unless something drastic happens compromising the
  basic assumptions of the draft.

  Full Standard, of which there are very few, requires six months
  (not 100% sure that six is correct) after the promotion to Draft
  Standard.

Short presentations were invited on implementations.

  Phil Servita reported on his implementation.  He recently 
  discovered that the SHA algorithm did not work, but that it would
  be fixed shortly.  His implementation currently supports the
  Alternative Dictionary as described in the working group I-D.
  It also defends against the "wrong line" attack, which can occur
  if the user of a paper list of one-time passwords enters the wrong
  otp.  Phil's version also supports automatic reinitialization.
  In addition to his OTP programs, Phil also a has available an
  OTP toolkit (see below).  Phil said he thought his Windows client
  code (OTP passphrase generator) should run just fine under NT
  as it is just a Windows application. Phil offers his code free for
  non-commercial use; commercial organizations interest in using it
  should contact him.  [Phil has since reported that both the
  DOS/Windows and UNIX code now do SHA1 correctly.]

  Ran Atkinson described the NRL implementation called OPIE.  It
  defends against the race attack (see I-D), but is not very
  different from Bellcore's reference implementation of S/KEY.   He
  expects it to be upgraded to conform to the draft specification
  in January.  It is available free as long as NRL gets some credit.
  Available from ftp:/ftp.nr.navy.mil/nrl-opie.    There is also a
  Macintosh key generator compiled for the PowerMac.

  Neil Haller discussed the status of Bellcore's work.  The public
  version (reference implementation) will not be upgraded.  It does
  not conform to the OTP draft.  Bellcore is doing a commercial
  implementation that will conform to the OTP draft.

The was a discussion of proposals for additions to the OTP protocol.
Most changes could be added after OTP is promoted to Proposed Standard
as it is likely that they would be classed as editorial changes.

  It was agreed that the defense against the "wrong line attack"
  should be described in the standard.  It should be classified as
  optional (MAY implement) for servers.

  It was proposed on the mailing list that the standard dictionary
  be modified to remove homonyms.  There was strong agreement that
  the dictionary was used in too many implementations and should not
  be changed.

  It was agreed that automatic re-initializaton of the one-time 
  password sequence was desirable.  The details of various proposals
  will be discussed on the mailing list.  It was agreed that all
  proposals should be submitted to the list by January 1, 1996.

OTP authentication toolkit for UNIX  -  by Phil Servita

  -  Supports OTP as defined in WG draft.
  -  Supports MD4, MD5, and SHA1 simultaneously
  -  Queued access protects against the race attack
  -  Supports Alternative Dictionary
  -  Supports Reinitialization without having to access a
     command-line shell
  -  Configurable acceptance window to protect against the
     wrong-line attach
  -  A utility for converting from S/KEY style "skeykeys" file
  -  A utility to generate alternative dictionaries.
  -  Compiles under SunOS, Solaris, OSF/1, Linus, and soon
     under HPUX, AIX, IRIX.
Available from:
     ftp.ftp.com:/pub/meister/otp/unix/otp.tar  (source code)
     ftp.ftp.com:/pub/meister/otp/unix/otp.sig  (PGP signature)

Phil's DOS and Windows code is available from:
     ftp.ftp.com:/pub/meister/otp/dosotp/*
     ftp.ftp.com:/pub/meister/otp/winotp/*
     Each directory contains binaries, a tar file containing source
     code, and PGP signatures.

Documents

    RFC 1760, N Haller, February 1995
    I-D draft-haller-otp-05.txt, November 21, 1995