Bug 5608 - Remove or update NordicEdge OTP section in the TAG
Summary: Remove or update NordicEdge OTP section in the TAG
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Documentation (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.5.0
Assignee: Henrik Andersson
URL:
Keywords: ossman_tester, prosaic
Depends on:
Blocks:
 
Reported: 2015-08-12 14:00 CEST by Peter Åstrand
Modified: 2016-12-05 11:18 CET (History)
2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Peter Åstrand cendio 2015-08-12 14:00:18 CEST 
Our TAG has a section about the NordicEdge OTP server. This product is now owned by McAfee and:

https://kc.mcafee.com/corporate/index?page=content&id=KB85036

"The end of life (EOL) and End of Support (EOS) date for McAfee One Time Password Server version 4.x is July 13, 2016."

Thus, this section in the TAG needs to be removed (or replaced with something else).
Comment 1 Peter Åstrand cendio 2015-08-12 14:41:05 CEST 
When it comes to alternatives, it's worth noting that our requirement is using the OTP twice: One time against the master, one time against the agent. Many TOTP implementations allows this. This includes google-authenticator. It allows a "DISALLOW_REUSE" paramter in the config, but apparently it's not there by default. Also, according to this Twitter post, many other implementations also accepts the OTP multiple times:

https://twitter.com/jmedwards/status/558561104214102016

"Amazing how many vendors allow reuse of TOTP/2FA codes within time window. Culprits: most banks, Github… At least Google follows the RFC."

The RFC does indeed not allow multiple use of the OTP:

https://tools.ietf.org/html/rfc6238:

   Note that a prover may send the same OTP inside a given time-step
   window multiple times to a verifier.  The verifier MUST NOT accept
   the second attempt of the OTP after the successful validation has
   been issued for the first OTP, which ensures one-time only use of an
   OTP.
Comment 2 Karl Mikaelsson cendio 2015-09-08 13:39:22 CEST 
(In reply to comment #1)
> When it comes to alternatives, it's worth noting that our requirement is using
> the OTP twice: One time against the master, one time against the agent. Many
> TOTP implementations allows this. This includes google-authenticator. It allows
> a "DISALLOW_REUSE" paramter in the config, but apparently it's not there by
> default. Also, according to this Twitter post, many other implementations also
> accepts the OTP multiple times:
> 
> https://twitter.com/jmedwards/status/558561104214102016
> 
> "Amazing how many vendors allow reuse of TOTP/2FA codes within time window.
> Culprits: most banks, Github… At least Google follows the RFC."
> 
> The RFC does indeed not allow multiple use of the OTP:
> 
> https://tools.ietf.org/html/rfc6238:
> 
>    Note that a prover may send the same OTP inside a given time-step
>    window multiple times to a verifier.  The verifier MUST NOT accept
>    the second attempt of the OTP after the successful validation has
>    been issued for the first OTP, which ensures one-time only use of an
>    OTP.

Split off to bug 5614.
Comment 4 Henrik Andersson cendio 2015-09-10 09:34:59 CEST 
Added bug 5636 for remove/update of SecurID section.
Comment 5 Pierre Ossman cendio 2015-09-11 10:10:06 CEST 
The TAG looks good, but we still mention NordicEdge in an unsuitable way in the white paper.
Comment 7 Pierre Ossman cendio 2015-09-11 14:47:02 CEST 
PDF version wasn't updated.
Comment 9 Pierre Ossman cendio 2015-09-15 14:09:51 CEST 
PDF looks good now.
Note You need to log in before you can comment on or make changes to this bug.