OATH Celebrates Three Years of Technical Achievements for Developing Strong, Industry-Backed Solutions to Open Authentication at the OATH Pavilion, Booth #1724
WASHINGTON CROSSING, Pa. and SAN FRANCISCO, Feb. 6, 2007 -- OATH, the initiative for Open AuTHentication and a leading proponent of industry- backed standards for royalty-free open authentication, used the RSA Conference 2007 to announce the organization's 2007 technology roadmap and goals for achieving industry-backed standards for open authentication. The organization is also hosting 12 members at the OATH Pavilion Booth 1724 at the Moscone Center in San Francisco the week of February 5, 2007.
OATH, marking its third anniversary at the RSA Conference 2007, has a strong track record of technology achievements that have furthered industry efforts toward open authentication standards.
"In 2006, OATH made significant progress working on some of the core authentication standards, such as HOTP and OCRA, as well as standards for credential lifecycle, like PSKC, DSKPP," said Siddharth Bajaj, Joint Coordination Committee Chairman of OATH. "With this groundwork completed, OATH's 2007 focus will be Application Integration and Adoption. This year, we will work on items that enable better integration on both client-side and server-side."
"Standing as the driving force towards open authentication standards, OATH continues its momentum through several key building blocks slated for 2007," said John Gunn, General Manager for Aladdin North America, an OATH member. "Taking an all-encompassing approach to safeguarding electronic commerce and networked operations, OATH's numerous 2007 goals are highly notable, as they build on its many achievements and focus on standards that encourage streamlined implementation and adoption of strong authentication technologies. Aladdin is pleased to stand beside OATH member companies working closely to ensure OATH's fast-paced progress."
OATH's client side focus is on work items that enable seamless integration of both authentication methods as well as authentication tokens into clients, browsers, CardSpace, and other target markets. The group's server side will focus on standardized interfaces that enable applications to support the validation of OATH credentials.
Bajaj added, "Additionally, to increase adoption of OATH technologies, OATH also plans to initiate an open source initiative. This will provide key building blocks that will accelerate the development and deployment cycles for strong authentication technologies."
Some of the theme elements that the organization has targeted for 2007 include:
* Key Provisioning
OATH in collaboration with RSA and members of the IETF initiated the formation of a new IETF work group, "KeyProv", focusing on the development of a standard end user provisioning protocol for symmetric keys used for authentication. The KeyProv WG was formally approved by the IETF in January and will convene at the March IETF meetings in Prague.
* OATH Challenge-Response Algorithm (OCRA)
This work item adds support for challenge response based authentications and short digital signatures, based on the existing HOTP algorithm (RFC 4226).
* OATH Identifier Namespace
To improve interoperability and token sharing across different vendors' authentication solutions, OATH is proposing a standard format for credential identifiers based on IEEE EUI-64 standard to be used in authentication systems.
* Transaction Fraud Reporting
In response to growing industry interest in fraud data reporting and sharing, OATH is introducing a data format to facilitate interoperability and exchange of transaction-related fraud data. The specification support both inbound (Thraud Reports) and outbound (Thraud Watchlists) mechanisms.
* OATH HOTP variant (time-based)
This work item will extend the HOTP algorithm and offer a standard for time-based one time passwords. The current HOTP is an event-based one time password algorithm.
* OATH Web Services Validation Protocol
This work item will create a standard web-services based protocol that will enable application to send validation requests for OATH credentials including HOTP, OCRA and in the future time-based OTPs.
* CardSpace support for OATH standards
This work item will create a requirements document that will capture feature requests for support of OATH authentication technologies (HOTP, OCRA, time-based HOTP) in addition to the four authentication mechanisms (Username/Password,
Kerberos, Smart Card, and self-issued) that are supported in CardSpace today. OATH intends to submit this document to Microsoft later this year.
* OATH Platform-independent OTP retrieval API
This API will enable applications on different software platforms (Windows, Linux/Unix, Windows Mobile, and others) to retrieve OTP values from a variety of connected tokens. The tokens may be implemented in software, on-board hardware (TPM), or via removable hardware (USB tokens, smart cards, SIM cards and more).
* OATH HTML Tags
This work item will enable seamless integration of OATH authentication technologies in web applications. Standardized HTML tags will serve as triggers for web browser plug-ins and in the future browsers to automatically interact with OATH-enabled tokens on the one side and web applications on the other side - supporting use cases for provisioning and retrieval of OATH credentials such as OTPs.
* OATH Risk-based Authentication
Risk-based authentication usually refers to the selection of authentication schemes based on the measuredrisk associated with the particular session and requested transaction. OATH is currently analyzing the federation of these techniques into a Web Access Management (WAM) layer. The WAM would perform the orchestration of the separate service invocations, effectively transferring the burden of risk analysis and authentication method selection, from the application writers to the WAM developers.
The Initiative for Open AuTHentication (OATH) is the industry's leading collaboration of device, platform and application companies, and end user customers of authentication technologies. OATH participants hope to foster use of strong authentication across networks, devices and applications. OATH participants work collectively to facilitate standards and build reference architecture for open authentication while evangelizing the benefits of strong interoperable authentication in a networked world. As OATH grows, the organization is actively seeking feedback and technology contributions from end-user participants who share a common vision for open authentication technology and the products that provide this important measure of security.
OATH is dedicated to helping customers reduce the cost and complexity of deploying strong authentication within enterprises, and across the Internet. Since its formation, OATH's membership includes security industry leaders from token manufacturers, platform vendors, smartcard providers, and security services companies. End-user companies are joining OATH to add their voice and ideas to the goal of open authentication.
To join OATH and to see a list of its current membership, go to: http://www.openauthentication.org/membership.asp.
Access the enrollment form by visiting: http://www.openauthentication.org/membership_form.asp.
OATH technical documents including internet-draft specifications can be located at: http://www.openauthentication.org/resources.asp.
To learn more about OATH, e-mail i...@openauthentication.org or visit http://www.openauthentication.org/.
# # #
All company and product names are trademarks of their respective holders.