Kerberos SAM initiative

[Enrique Rodriguez <en...@gmail.com>]

Hi, Directory developers,

The purpose of this message is to keep you in the loop about my efforts 
w.r.t. "Kerberos SAM."  I mentioned this last week, in the thread on 
activity in my sandbox, but at this time I would like to make it 
slightly more formal, because I heard back from some of the other people 
involved in the Kerberos SAM initiative.

As a representative to OATH [1], the "initiative for Open 
AuTHentication," I was asked by Siddharth Bajaj, the chair of OATH’s 
Technology Working Group, to help drive the addition of 2-factor 
authentication support to the Kerberos protocol, with a specific goal of 
creating an IETF RFC, beginning with some existing work known as 
"Kerberos SAM" [2].  SAM stands for "Single-use Authentication 
Mechanism" and you can think of it as an update to the acronym OTP, "One 
Time Password," expanding the scope of the concept to not be limited 
specifically to "passwords."  More specifically, OATH would like to see 
their HOTP Algorithm supported by Kerberos [3].

Some time ago, prior even to working with OATH, I completed codecs for 
the SAM ASN1 structures [4].  At this time, Kerberos SAM is a stalled 
draft, so I don't think it should be mainlined with the Kerberos code, 
but I do think it would be harmless to move it out of my sandbox to a 
module in the trunk.

Incidentally, one of the initial reasons we started looking at OSGi was 
to adopt an open standard that would allow us to better support 
modularity in ApacheDS, be it to handle the scale of our project or, in 
this case, to allow draft support at defined extension points.

Enrique


[1] http://www.openauthentication.org/
[2] http://tools.ietf.org/wg/krb-wg/draft-ietf-krb-wg-kerberos-sam/
[3] http://www.ietf.org/rfc/rfc4226.txt
[4] 
https://svn.apache.org/repos/asf/directory/sandbox/erodriguez/kerberos-sam