Computerworld - After reviewing the May 20, 2005 opinion article by Burt Kaliski of RSA Laboratories, readers might come away with the wrong impression of the Initiative for Open Authentication (Oath) and its goals.
With due respect to Kaliski, his article made several statements about Oath and its charter that simply aren't true.
First, and most important, Oath has always been committed to driving the adoption of strong authentication across networks, devices and applications. Oath firmly believes that the success of mass adoption hinges on the ability of the industry to provide the end-user community with interoperable components that lower the complexity and cost of deploying strong authentication. Therefore, the development of an open and royalty-free specification for strong authentication has been Oath's initial focus.
While Oath members' first deliverable was the Internet Engineering Task Force Hashed Message Authentication Code One-Time Password algorithm, Oath fully supports the use of multiple OTP technologies (sequence, time-based, challenge response) that are royalty-free and based on open standards. In fact, the Oath road map outlines the use of additional algorithms based on specific customer needs, and the Oath architecture allows for more than one OTP algorithm to be deployed in the same infrastructure. The Oath framework also facilitates the use of proprietary OTP algorithms where required, while continuing to promote the use of open, royalty-free algorithms of various types.
Oath and its members wholeheartedly agree with Kaliski's closing comments that "the most important issue is what is in the best interests of users," and "by ensuring that users and the organizations they interact with can leverage the OTP algorithms that best meet their needs -- within whatever context they need to authenticate -- the industry will be encouraged to make necessary long-term investments in stronger user authentication."
The article also refers to "algorithm agility," and the Oath architecture is dedicated to this concept. As mentioned above, Oath will continue to investigate the need for and promote additional authentication algorithms such as time-based passwords or challenge-response. One of the key components of the Oath reference architecture is the validation framework -- this framework will allow deployment of several algorithms within the same infrastructure simultaneously.
And Oath remains committed to providing royalty-free versions of any of its proposed specifications. More details about Secure Hashing Algorithm-1 issues and Oath that go beyond Kaliski's point of view are available as a download from the Oath Web site.
On May 10, Oath released its first reference architecture that delivers on the organization's promise toward a technical framework and overall vision for
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
