draft-ietf-oauth-amr-values-02.txt   draft-ietf-oauth-amr-values-03.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track P. Hunt Intended status: Standards Track P. Hunt
Expires: March 13, 2017 Oracle Expires: April 17, 2017 Oracle
A. Nadalin A. Nadalin
Microsoft Microsoft
September 9, 2016 October 14, 2016
Authentication Method Reference Values Authentication Method Reference Values
draft-ietf-oauth-amr-values-02 draft-ietf-oauth-amr-values-03
Abstract Abstract
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry but no registered in the IANA "JSON Web Token Claims" registry but no
standard Authentication Method Reference values are currently standard Authentication Method Reference values are currently
defined. This specification establishes a registry for defined. This specification establishes a registry for
Authentication Method Reference values and defines an initial set of Authentication Method Reference values and defines an initial set of
Authentication Method Reference values. Authentication Method Reference values.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 13, 2017. This Internet-Draft will expire on April 17, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
3. Relationship to "acr" (Authentication Context Class 3. Relationship to "acr" (Authentication Context Class
Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6.1. Authentication Method Reference Values Registry . . . . . 6 6.1. Authentication Method Reference Values Registry . . . . . 6
6.1.1. Registration Template . . . . . . . . . . . . . . . . 7 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 Appendix B. Document History . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
The "amr" (Authentication Methods References) claim is defined and The "amr" (Authentication Methods References) claim is defined and
registered in the IANA "JSON Web Token Claims" registry registered in the IANA "JSON Web Token Claims" registry
[IANA.JWT.Claims] but no standard Authentication Method Reference [IANA.JWT.Claims] but no standard Authentication Method Reference
values are currently defined. This specification establishes a values are currently defined. This specification establishes a
registry for Authentication Method Reference values and defines an registry for Authentication Method Reference values and defines an
skipping to change at page 4, line 20 skipping to change at page 4, line 20
Use of geolocation information Use of geolocation information
hwk hwk
Proof-of-possession (PoP) of a hardware-secured key. See Proof-of-possession (PoP) of a hardware-secured key. See
Appendix C of [RFC4211] for a discussion on PoP. Appendix C of [RFC4211] for a discussion on PoP.
iris iris
Iris scan biometric Iris scan biometric
kba kba
Knowledge-based authentication [NIST.800-63-2] Knowledge-based authentication [NIST.800-63-2] [ISO29115]
mca mca
Multiple-channel authentication. The authentication involves Multiple-channel authentication. The authentication involves
communication over more than one distinct communication channel. communication over more than one distinct communication channel.
For instance, a multiple-channel authentication might involve both For instance, a multiple-channel authentication might involve both
entering information into a workstation's browser and providing entering information into a workstation's browser and providing
information on a telephone call to a pre-registered number. information on a telephone call to a pre-registered number.
mfa mfa
Multiple-factor authentication [NIST.800-63-2]. When this is Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When
present, specific authentication methods used may also be this is present, specific authentication methods used may also be
included. included.
otp otp
One-time password. One-time password specifications that this One-time password. One-time password specifications that this
authentication method applies to include [RFC4226] and [RFC6238]. authentication method applies to include [RFC4226] and [RFC6238].
pin pin
Personal Identification Number or pattern (not restricted to Personal Identification Number or pattern (not restricted to
containing only numbers) that a user enters to unlock a key on the containing only numbers) that a user enters to unlock a key on the
device. This mechanism should have a way to deter an attacker device. This mechanism should have a way to deter an attacker
skipping to change at page 10, line 22 skipping to change at page 10, line 22
o Specification Document(s): Section 2 of [[ this specification ]] o Specification Document(s): Section 2 of [[ this specification ]]
7. References 7. References
7.1. Normative References 7.1. Normative References
[IANA.JWT.Claims] [IANA.JWT.Claims]
IANA, "JSON Web Token Claims", IANA, "JSON Web Token Claims",
<http://www.iana.org/assignments/jwt>. <http://www.iana.org/assignments/jwt>.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>.
[OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>.
7.2. Informative References
[ISO29115]
International Organization for Standardization, "ISO/IEC
29115:2013 -- Information technology - Security techniques
- Entity authentication assurance framework", ISO/
IEC 29115:2013, April 2013,
<http://www.iso.org/iso/iso_catalogue/catalogue_tc/
catalogue_detail.htm?csnumber=45138>.
[JECM] Williamson, G., "Enhanced Authentication In Online [JECM] Williamson, G., "Enhanced Authentication In Online
Banking", Journal of Economic Crime Management 4.2: 18-19, Banking", Journal of Economic Crime Management 4.2: 18-19,
2006, 2006,
<http://utica.edu/academic/institutes/ecii/publications/ <http://utica.edu/academic/institutes/ecii/publications/
articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>. articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, May 2015,
<http://www.rfc-editor.org/info/rfc7519>.
[MSDN] Microsoft, "Integrated Windows Authentication with [MSDN] Microsoft, "Integrated Windows Authentication with
Negotiate", September 2011, Negotiate", September 2011,
<http://blogs.msdn.com/b/benjaminperkins/ <http://blogs.msdn.com/b/benjaminperkins/
archive/2011/09/14/iis-integrated-windows-authentication- archive/2011/09/14/iis-integrated-windows-authentication-
with-negotiate.aspx>. with-negotiate.aspx>.
[NIST.800-63-2] [NIST.800-63-2]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Electronic Authentication Guideline", NIST Special "Electronic Authentication Guideline", NIST Special
Publication 800-63-2, August 2013, Publication 800-63-2, August 2013,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-63-2.pdf>. NIST.SP.800-63-2.pdf>.
[OpenID.Core] [OpenID.MODRNA]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and Connotte, J. and J. Bradley, "OpenID Connect MODRNA
C. Mortimore, "OpenID Connect Core 1.0", November 2014, Authentication Profile 1.0", September 2016,
<http://openid.net/specs/openid-connect-core-1_0.html>. <https://bitbucket.org/openid/mobile/raw/default/draft-
mobile-authentication-01.txt>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<http://www.rfc-editor.org/info/rfc4211>. <http://www.rfc-editor.org/info/rfc4211>.
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and [RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and
O. Ranen, "HOTP: An HMAC-Based One-Time Password O. Ranen, "HOTP: An HMAC-Based One-Time Password
Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005, Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005,
<http://www.rfc-editor.org/info/rfc4226>. <http://www.rfc-editor.org/info/rfc4226>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: [RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP:
Time-Based One-Time Password Algorithm", RFC 6238, Time-Based One-Time Password Algorithm", RFC 6238,
DOI 10.17487/RFC6238, May 2011, DOI 10.17487/RFC6238, May 2011,
<http://www.rfc-editor.org/info/rfc6238>. <http://www.rfc-editor.org/info/rfc6238>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012,
<http://www.rfc-editor.org/info/rfc6749>.
7.2. Informative References
[OpenID.MODRNA]
Connotte, J. and J. Bradley, "OpenID Connect MODRNA
Authentication Profile 1.0", February 2016,
<https://bitbucket.org/openid/mobile/raw/default/draft-
mobile-authentication-01.txt>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
Threat Model and Security Considerations", RFC 6819, Threat Model and Security Considerations", RFC 6819,
DOI 10.17487/RFC6819, January 2013, DOI 10.17487/RFC6819, January 2013,
<http://www.rfc-editor.org/info/rfc6819>. <http://www.rfc-editor.org/info/rfc6819>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
Caleb Baker participated in specifying the original set of "amr" Caleb Baker participated in specifying the original set of "amr"
values. John Bradley, Brian Campbell, William Denniss, James Manger, values. John Bradley, Brian Campbell, William Denniss, James Manger,
Nat Sakimura, and Mike Schwartz provided reviews of the Nat Sakimura, and Mike Schwartz provided reviews of the
specification. specification.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-03
o Addressed shepherd comments.
-02 -02
o Addressed working group last call comments. o Addressed working group last call comments.
-01 -01
o Distinguished between retina and iris biometrics. o Distinguished between retina and iris biometrics.
o Expanded the introduction to provide additional context to o Expanded the introduction to provide additional context to
readers. readers.
o Referenced the OpenID Connect MODRNA Authentication Profile 1.0 o Referenced the OpenID Connect MODRNA Authentication Profile 1.0
 End of changes. 13 change blocks. 
39 lines changed or deleted 51 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/