REFEDS Assurance wg telco
Wednesday  4 April 2018 at 15:00 CEST/8:00 CDT
CERN’s Vidyo portal:

Pål A
Jule Z
Mikael L


  • walked through a draft of the new simplified version of SFA
    • clarify wording: passwords are chosen by the user and not generated for them
    • add complexity rules as a requirement for passwords with 72 character set
      • leave exact definition of the rules open
    • look-up secrets are often unlimited in time so there needs to be some extra protection against brute-force attacks
      • if a short non-time-based OTP is exposed to a brute-force attack for an unlimited time it is like cracking a poor password
    • TAN and TOTP is not defined in 800-63B, find proper reference
    • what is an authentication secret?
      • if authentication is done by sending a challenge that the user needs to encrypt with their key and then return, which one (the key or challenge) is the authentication secret?
    • enough to say needs to be cryptographically protectedted, without defining how
      • otherwise we find ourself defining algorithms which last time led to troubles
    • can Table 1 be applied to backup keys and OTPs that are provided to the user in advance?
  • next call: 23 April 15:30 CEST/8:30 CDT
  • No labels