Internet Engineering Task Force (IETF) M. Jones Request for Comments: 8176 Microsoft Category: Standards Track P. Hunt ISSN: 2070-1721 Oracle A. Nadalin Microsoft June 2017
Internet Engineering Task Force (IETF) M. Jones Request for Comments: 8176 Microsoft Category: Standards Track P. Hunt ISSN: 2070-1721 Oracle A. Nadalin Microsoft June 2017
Authentication Method Reference Values
身份验证方法引用值
Abstract
摘要
The "amr" (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry, but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.
在IANA“JSON Web令牌声明”注册表中定义并注册了“amr”(身份验证方法引用)声明,但当前未定义标准身份验证方法引用值。本规范为身份验证方法参考值建立注册表,并定义身份验证方法参考值的初始集合。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8176.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8176.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Authentication Method Reference Values . . . . . . . . . . . 5 3. Relationship to "acr" (Authentication Context Class Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6.1. Authentication Method Reference Values Registry . . . . . 8 6.1.1. Registration Template . . . . . . . . . . . . . . . . 9 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 15 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Authentication Method Reference Values . . . . . . . . . . . 5 3. Relationship to "acr" (Authentication Context Class Reference) . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6.1. Authentication Method Reference Values Registry . . . . . 8 6.1.1. Registration Template . . . . . . . . . . . . . . . . 9 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 15 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
The "amr" (Authentication Methods References) claim is defined and registered in the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims], but no standard Authentication Method Reference values are currently defined. This specification establishes a registry for Authentication Method Reference values and defines an initial set of Authentication Method Reference values.
“amr”(身份验证方法引用)声明已在IANA“JSON Web令牌声明”注册表[IANA.JWT.Claims]中定义和注册,但当前未定义标准身份验证方法引用值。本规范为身份验证方法参考值建立注册表,并定义身份验证方法参考值的初始集合。
For context, the "amr" (Authentication Methods References) claim is defined by Section 2 of the OpenID Connect Core 1.0 specification [OpenID.Core] as follows:
在上下文中,“amr”(身份验证方法引用)声明由OpenID Connect Core 1.0规范[OpenID.Core]第2节定义如下:
amr OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the "amr" Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The "amr" value is an array of case sensitive strings.
amr可选。身份验证方法引用。字符串的JSON数组,这些字符串是身份验证中使用的身份验证方法的标识符。例如,值可能指示同时使用了密码和OTP身份验证方法。“amr”索赔中使用的特定值的定义超出了本规范的范围。使用本索赔的各方需要就所用价值的含义达成一致,这些价值可能是特定于上下文的。“amr”值是区分大小写的字符串数组。
Typically, each "amr" value provides an identifier for a family of closely related authentication methods. For example, the "otp" identifier intentionally covers OTPs (One-Time Passwords) based on both time and HMAC (Hashed Message Authentication Code). Many relying parties will be content to know that an OTP has been used in addition to a password; the distinction between which kind of OTP was used is not useful to them. Thus, there's a single identifier that can be satisfied in two or more nearly equivalent ways.
通常,每个“amr”值为一系列密切相关的身份验证方法提供一个标识符。例如,“otp”标识符故意基于时间和HMAC(散列消息认证码)覆盖otp(一次性密码)。许多依赖方将满足于知道除了密码之外还使用了OTP;区分使用哪种检察官办公室对他们没有帮助。因此,有一个标识符可以通过两种或两种以上近似等效的方式来满足。
Similarly, there's a whole range of nuances between different fingerprint-matching algorithms. They differ in false-positive and false-negative rates over different population samples and also differ based on the kind and model of fingerprint sensor used. Like the OTP case, many relying parties will be content to know that a fingerprint match was made, without delving into and differentiating based on every aspect of the implementation of fingerprint capture and match. The "fpt" identifier accomplishes this.
类似地,不同的指纹匹配算法之间存在着一系列细微差别。它们在不同人群样本中的假阳性率和假阴性率不同,并且根据所用指纹传感器的类型和型号也不同。与OTP案件一样,许多依赖方会满足于知道指纹匹配已经完成,而不会深入研究和区分指纹捕获和匹配实施的各个方面。“fpt”标识符实现了这一点。
Ultimately, the relying party is depending upon the identity provider to do reasonable things. If it does not trust the identity provider to do so, it has no business using it. The "amr" value lets the identity provider signal to the relying party additional information about what it did, for the cases in which that information is useful to the relying party.
最终,依赖方依赖身份提供者来做合理的事情。如果它不信任身份提供者这样做,那么它就没有必要使用它。“amr”值允许身份提供者向依赖方发送关于其所做工作的附加信息,以便该信息对依赖方有用。
The "amr" values defined by this specification are not intended to be an exhaustive set covering all use cases. Additional values can and will be added to the registry by other specifications. Rather, the values defined herein are an intentionally small set and are already actually being used in practice.
本规范定义的“amr”值并非涵盖所有用例的详尽集合。其他值可以并将通过其他规范添加到注册表中。相反,本文定义的值是一个有意的小集合,并且实际上已经在实践中使用。
The values defined by this specification only make distinctions that are known to be useful to relying parties. Slicing things more finely than would be used in practice would actually hurt interoperability, rather than helping it, because it would force relying parties to recognize that several or many different values actually mean the same thing to them.
本规范定义的值仅对依赖方有用的区别进行了说明。将事物分割得比实际使用的更精细实际上会损害互操作性,而不是帮助互操作性,因为这将迫使依赖方认识到,几个或多个不同的值实际上对他们意味着同一件事。
For context, while the claim values registered pertain to authentication, note that OAuth 2.0 [RFC6749] is designed for resource authorization and cannot be used for authentication without employing appropriate extensions, such as those defined by OpenID Connect Core 1.0 [OpenID.Core]. The existence of the "amr" claim and values for it should not be taken as encouragement to try to use OAuth 2.0 for authentication without employing extensions that enable secure authentication to be performed.
在上下文中,虽然注册的声明值与身份验证有关,但请注意,OAuth 2.0[RFC6749]是为资源授权而设计的,如果不使用适当的扩展(如OpenID Connect Core 1.0[OpenID.Core]定义的扩展),则不能用于身份验证。“amr”声明及其值的存在不应被视为鼓励尝试使用OAuth 2.0进行身份验证,而不采用能够执行安全身份验证的扩展。
When used with OpenID Connect, if the identity provider supplies an "amr" claim in the ID Token resulting from a successful authentication, the relying party can inspect the values returned and thereby learn details about how the authentication was performed. For instance, the relying party might learn that only a password was used or it might learn that iris recognition was used in combination with a hardware-secured key. Whether "amr" values are provided and which values are understood by what parties are both beyond the scope of this specification. The OpenID Connect MODRNA Authentication Profile 1.0 [OpenID.MODRNA] is one example of an application context that uses "amr" values defined by this specification.
与OpenID Connect一起使用时,如果身份提供程序在成功身份验证产生的ID令牌中提供“amr”声明,则依赖方可以检查返回的值,从而了解有关如何执行身份验证的详细信息。例如,依赖方可能知道只使用了密码,或者可能知道虹膜识别与硬件安全密钥结合使用。是否提供了“amr”值以及各方理解的值超出了本规范的范围。OpenID Connect MODRNA身份验证配置文件1.0[OpenID.MODRNA]是使用本规范定义的“amr”值的应用程序上下文的一个示例。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
This specification uses the terms defined by JSON Web Token (JWT) [RFC7519] and OpenID Connect Core 1.0 [OpenID.Core].
本规范使用JSON Web令牌(JWT)[RFC7519]和OpenID Connect Core 1.0[OpenID.Core]定义的术语。
The following is a list of Authentication Method Reference values defined by this specification:
以下是本规范定义的身份验证方法参考值列表:
face Biometric authentication [RFC4949] using facial recognition.
使用人脸识别的人脸生物特征认证[RFC4949]。
fpt Biometric authentication [RFC4949] using a fingerprint.
使用指纹的fpt生物认证[RFC4949]。
geo Use of geolocation information for authentication, such as that provided by [W3C.REC-geolocation-API-20161108].
地理位置信息用于身份验证,如[W3C.REC-geolocation-API-20161108]提供的信息。
hwk Proof-of-Possession (PoP) of a hardware-secured key. See Appendix C of [RFC4211] for a discussion on PoP.
硬件安全密钥的hwk占有证明(PoP)。有关PoP的讨论,请参见[RFC4211]的附录C。
iris Biometric authentication [RFC4949] using an iris scan.
使用虹膜扫描的虹膜生物特征认证[RFC4949]。
kba Knowledge-based authentication [NIST.800-63-2] [ISO29115].
kba基于知识的认证[NIST.800-63-2][ISO29115]。
mca Multiple-channel authentication [MCA]. The authentication involves communication over more than one distinct communication channel. For instance, a multiple-channel authentication might involve both entering information into a workstation's browser and providing information on a telephone call to a pre-registered number.
mca多通道身份验证[mca]。认证涉及通过多个不同的通信信道进行通信。例如,多通道身份验证可能涉及将信息输入工作站的浏览器和向预先注册的号码提供电话信息。
mfa Multiple-factor authentication [NIST.800-63-2] [ISO29115]. When this is present, specific authentication methods used may also be included.
mfa多因素认证[NIST.800-63-2][ISO29115]。当存在这种情况时,还可以包括使用的特定身份验证方法。
otp One-time password [RFC4949]. One-time password specifications that this authentication method applies to include [RFC4226] and [RFC6238].
otp一次性密码[RFC4949]。此身份验证方法适用的一次性密码规范包括[RFC4226]和[RFC6238]。
pin Personal Identification Number (PIN) [RFC4949] or pattern (not restricted to containing only numbers) that a user enters to unlock a key on the device. This mechanism should have a way to deter an attacker from obtaining the PIN by trying repeated guesses.
pin个人识别码(pin)[RFC4949]或用户为解锁设备上的钥匙而输入的模式(不限于仅包含数字)。这种机制应该能够阻止攻击者通过反复猜测来获取PIN。
pwd Password-based authentication [RFC4949].
pwd基于密码的身份验证[RFC4949]。
rba Risk-based authentication [JECM].
基于rba风险的身份验证[JECM]。
retina Biometric authentication [RFC4949] using a retina scan.
使用视网膜扫描的视网膜生物特征认证[RFC4949]。
sc Smart card [RFC4949].
sc智能卡[RFC4949]。
sms Confirmation using SMS [SMS] text message to the user at a registered number.
使用sms[sms]文本消息以注册号码向用户发送sms确认。
swk Proof-of-Possession (PoP) of a software-secured key. See Appendix C of [RFC4211] for a discussion on PoP.
swk拥有软件安全密钥的证明(PoP)。有关PoP的讨论,请参见[RFC4211]的附录C。
tel Confirmation by telephone call to the user at a registered number. This authentication technique is sometimes also referred to as "call back" [RFC4949].
通过向用户拨打注册号码进行电话确认。这种认证技术有时也称为“回调”[RFC4949]。
user User presence test. Evidence that the end user is present and interacting with the device. This is sometimes also referred to as "test of user presence" [W3C.WD-webauthn-20170216].
用户状态测试。最终用户在场并与设备交互的证据。这有时也称为“用户状态测试”[W3C.WD-webauthn-20170216]。
vbm Biometric authentication [RFC4949] using a voiceprint.
使用声纹的vbm生物特征认证[RFC4949]。
wia Windows integrated authentication [MSDN].
wia Windows集成身份验证[MSDN]。
The "acr" (Authentication Context Class Reference) claim and "acr_values" request parameter are related to the "amr" (Authentication Methods References) claim, but with important differences. An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination. Interactions using "acr_values" request that the specified Authentication Context Classes be used and that the result should contain an "acr" claim saying which Authentication Context Class was satisfied. The "acr" claim in the reply states that the business rules for the class were satisfied -- not how they were satisfied.
“acr”(身份验证上下文类引用)声明和“acr_值”请求参数与“amr”(身份验证方法引用)声明相关,但有重要区别。身份验证上下文类指定请求身份验证以满足的一组业务规则。这些规则通常可以通过单独或组合使用许多不同的特定身份验证方法来满足。使用“acr_值”的交互请求使用指定的身份验证上下文类,并且结果应包含一个“acr”声明,说明满足哪个身份验证上下文类。答复中的“acr”声明声明该类的业务规则得到了满足——而不是如何满足。
In contrast, interactions using the "amr" claim make statements about the particular authentication methods that were used. This tends to be more brittle than using "acr", since the authentication methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the deployment of new authentication methods.
相反,使用“amr”声明的交互会声明所使用的特定身份验证方法。这往往比使用“acr”更为脆弱,因为适用于给定身份验证的身份验证方法会随着时间的推移而变化,这是由于对现有方法的攻击的演变和新身份验证方法的部署。
The list of "amr" claim values returned in an ID Token reveals information about the way that the end user authenticated to the identity provider. In some cases, this information may have privacy implications.
ID令牌中返回的“amr”声明值列表显示了有关最终用户向身份提供程序进行身份验证的方式的信息。在某些情况下,此信息可能涉及隐私。
While this specification defines identifiers for particular kinds of credentials, it does not define how these credentials are stored or protected. For instance, ensuring the security and privacy of biometric credentials that are referenced by some of the defined Authentication Method Reference values is beyond the scope of this specification.
虽然本规范定义了特定类型凭据的标识符,但并未定义如何存储或保护这些凭据。例如,确保某些已定义的认证方法参考值所引用的生物认证凭证的安全性和隐私性超出了本规范的范围。
The security considerations in OpenID Connect Core 1.0 [OpenID.Core], OAuth 2.0 [RFC6749], and the entire OAuth 2.0 Threat Model [RFC6819] apply to applications using this specification.
OpenID Connect Core 1.0[OpenID.Core]、OAuth 2.0[RFC6749]和整个OAuth 2.0威胁模型[RFC6819]中的安全注意事项适用于使用本规范的应用程序。
As described in Section 3, taking a dependence upon particular authentication methods may result in brittle systems since the authentication methods that may be appropriate for a given authentication will vary over time.
如第3节所述,依赖特定的认证方法可能会导致脆弱的系统,因为适用于给定认证的认证方法会随时间而变化。
This specification establishes the IANA "Authentication Method Reference Values" registry for "amr" claim array element values. The registry records the Authentication Method Reference value and a reference to the specification that defines it. This specification registers the Authentication Method Reference values defined in Section 2.
本规范为“amr”声明数组元素值建立IANA“身份验证方法参考值”注册表。注册表记录身份验证方法引用值和对定义该值的规范的引用。本规范注册了第2节中定义的认证方法参考值。
Values are registered on an Expert Review [RFC5226] basis after a three-week review period on the <jwt-reg-review@ietf.org> mailing list, on the advice of one or more Designated Experts. To increase potential interoperability, the Designated Experts are requested to encourage registrants to provide the location of a publicly accessible specification defining the values being registered, so that their intended usage can be more easily understood.
在<jwt reg上经过三周的审查期后,在专家审查[RFC5226]的基础上登记数值-review@ietf.org>根据一名或多名指定专家的建议,提供邮件列表。为了增加潜在的互操作性,请指定专家鼓励注册者提供定义注册值的可公开访问规范的位置,以便更容易理解其预期用途。
Registration requests sent to the mailing list for review should use an appropriate subject (e.g., "Request to register Authentication Method Reference value: otp").
发送至邮件列表供审查的注册请求应使用适当的主题(例如,“注册认证方法参考值请求:otp”)。
Within the review period, the Designated Experts will either approve or deny the registration request, communicating this decision to the review list and IANA. Denials should include an explanation and, if applicable, suggestions as to how to make the request successful. Registration requests that are undetermined for a period longer than 21 days can be brought to the IESG's attention (using the <iesg@ietf.org> mailing list) for resolution.
在审查期内,指定专家将批准或拒绝注册请求,并将此决定告知审查名单和IANA。拒绝应包括解释,以及(如适用)关于如何使请求成功的建议。超过21天未确定的注册请求可提请IESG注意(使用<iesg@ietf.org>邮件列表)以供解决。
IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review mailing list.
IANA必须只接受指定专家的注册更新,并将所有注册请求发送至审查邮件列表。
It is suggested that the same Designated Experts evaluate these registration requests as those who evaluate registration requests for the IANA "JSON Web Token Claims" registry [IANA.JWT.Claims].
建议相同的指定专家评估这些注册请求,就像评估IANA“JSON Web令牌声明”注册表[IANA.JWT.Claims]注册请求的专家一样。
Criteria that should be applied by the Designated Experts include determining whether the proposed registration duplicates existing functionality; whether it is likely to be of general applicability or whether it is useful only for a single application; whether the value is actually being used; and whether the registration description is clear.
指定专家应采用的标准包括确定拟议登记是否与现有功能重复;是否可能具有普遍适用性,或是否仅适用于单一应用;是否实际使用该值;注册说明是否清晰。
Authentication Method Reference Name: The name requested (e.g., "otp") for the authentication method or family of closely related authentication methods. Because a core goal of this specification is for the resulting representations to be compact, it is RECOMMENDED that the name be short -- that is, not to exceed 8 characters without a compelling reason to do so. To facilitate interoperability, the name must use only printable ASCII characters excluding double quote ('"') and backslash ('\') (the Unicode characters with code points U+0021, U+0023 through U+005B, and U+005D through U+007E). This name is case sensitive. Names may not match other registered names in a case-insensitive manner unless the Designated Experts state that there is a compelling reason to allow an exception.
身份验证方法参考名称:为身份验证方法或一系列密切相关的身份验证方法请求的名称(例如,“otp”)。由于本规范的一个核心目标是使生成的表示形式紧凑,因此建议名称简短——也就是说,如果没有令人信服的理由,名称不能超过8个字符。为便于互操作性,名称必须仅使用可打印的ASCII字符,不包括双引号(“”)和反斜杠(“\”)(带有代码点U+0021、U+0023到U+005B以及U+005D到U+007E的Unicode字符)。此名称区分大小写。除非指定的专家声明有令人信服的理由允许例外,否则名称不能以不区分大小写的方式与其他注册名称匹配。
Authentication Method Reference Description: Brief description of the Authentication Method Reference (e.g., "One-time password").
验证方法参考说明:验证方法参考的简要说明(例如,“一次性密码”)。
Change Controller: For Standards Track RFCs, state "IESG". For others, give the name of the responsible party. Other details (e.g., postal address, email address, home page URI) may also be included.
更改控制器:对于标准跟踪RFC,请注明“IESG”。对于其他人,请提供责任方的名称。还可以包括其他详细信息(例如,邮政地址、电子邮件地址、主页URI)。
Specification Document(s): Reference to the document or documents that specify the parameter, preferably including URIs that can be used to retrieve copies of the documents. An indication of the relevant sections may also be included but is not required.
规范文档:指指定参数的一个或多个文档,最好包括可用于检索文档副本的URI。也可以包括相关章节的指示,但不需要。
o Authentication Method Reference Name: "face" o Authentication Method Reference Description: Facial recognition o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“面部”o认证方法参考说明:面部识别o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "fpt" o Authentication Method Reference Description: Fingerprint biometric o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“fpt”o认证方法参考说明:指纹生物识别o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "geo" o Authentication Method Reference Description: Geolocation o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“geo”o认证方法参考说明:地理位置o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "hwk" o Authentication Method Reference Description: Proof-of-possession of a hardware-secured key o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“hwk”o认证方法参考说明:拥有硬件安全密钥的证明o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "iris" o Authentication Method Reference Description: Iris scan biometric o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“iris”o认证方法参考说明:iris扫描生物识别o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "kba" o Authentication Method Reference Description: Knowledge-based authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“kba”o认证方法参考说明:基于知识的认证o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "mca" o Authentication Method Reference Description: Multiple-channel authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“mca”o认证方法参考说明:多通道认证o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "mfa" o Authentication Method Reference Description: Multiple-factor authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“mfa”o认证方法参考说明:多因素认证o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "otp" o Authentication Method Reference Description: One-time password o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“otp”o认证方法参考说明:一次性密码o更改控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "pin" o Authentication Method Reference Description: Personal Identification Number or pattern o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“pin”o认证方法参考说明:个人识别号或模式o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "pwd" o Authentication Method Reference Description: Password-based authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“pwd”o认证方法参考说明:基于密码的认证o更改控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "rba" o Authentication Method Reference Description: Risk-based authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“rba”o认证方法参考说明:基于风险的认证o变更控制者:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "retina" o Authentication Method Reference Description: Retina scan biometric o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“视网膜”o认证方法参考说明:视网膜扫描生物特征o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "sc" o Authentication Method Reference Description: Smart card o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“sc”o认证方法参考说明:智能卡o更换控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "sms" o Authentication Method Reference Description: Confirmation using SMS o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“sms”o认证方法参考说明:使用sms确认o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "swk" o Authentication Method Reference Description: Proof-of-possession of a software-secured key o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“swk”o认证方法参考说明:拥有软件安全密钥的证明o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "tel" o Authentication Method Reference Description: Confirmation by telephone call o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“电话”o认证方法参考说明:电话确认o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "user" o Authentication Method Reference Description: User presence test o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“用户”o认证方法参考说明:用户在场测试o变更控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "vbm" o Authentication Method Reference Description: Voice biometric o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“vbm”o认证方法参考说明:语音生物识别o更改控制器:IESG o规范文件:[RFC8176]第2节
o Authentication Method Reference Name: "wia" o Authentication Method Reference Description: Windows integrated authentication o Change Controller: IESG o Specification Document(s): Section 2 of [RFC8176]
o 认证方法参考名称:“wia”o认证方法参考说明:Windows集成认证o更改控制器:IESG o规范文件:[RFC8176]第2节
[IANA.JWT.Claims] IANA, "JSON Web Token Claims", <http://www.iana.org/assignments/jwt>.
[IANA.JWT.Claims]IANA,“JSON Web令牌声明”<http://www.iana.org/assignments/jwt>.
[OpenID.Core] Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0", November 2014, <http://openid.net/specs/openid-connect-core-1_0.html>.
[OpenID.Core]北樱村、J.布拉德利、M.琼斯、B.德梅德罗斯和C.莫蒂莫尔,“OpenID连接核心1.0”,2014年11月<http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,DOI 10.17487/RFC5226,2008年5月<http://www.rfc-editor.org/info/rfc5226>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, <http://www.rfc-editor.org/info/rfc6749>.
[RFC6749]Hardt,D.,Ed.“OAuth 2.0授权框架”,RFC 6749,DOI 10.17487/RFC6749,2012年10月<http://www.rfc-editor.org/info/rfc6749>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, <http://www.rfc-editor.org/info/rfc7519>.
[RFC7519]Jones,M.,Bradley,J.和N.Sakimura,“JSON网络令牌(JWT)”,RFC 7519,DOI 10.17487/RFC7519,2015年5月<http://www.rfc-editor.org/info/rfc7519>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <http://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<http://www.rfc-editor.org/info/rfc8174>.
[ISO29115] International Organization for Standardization, "ISO/IEC 29115:2013 Information technology - Security techniques - Entity authentication assurance framework", ISO/IEC 29115:2013, April 2013, <https://www.iso.org/standard/45138.html>.
[ISO29115]国际标准化组织,“ISO/IEC 29115:2013信息技术-安全技术-实体认证保证框架”,ISO/IEC 29115:2013,2013年4月<https://www.iso.org/standard/45138.html>.
[JECM] Williamson, G., "Enhanced Authentication In Online Banking", Journal of Economic Crime Management 4.2: 18-19, 2006, <http://utica.edu/academic/institutes/ecii/publications/ articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>.
[JECM]Williamson,G.“网上银行中的增强认证”,《经济犯罪管理杂志》4.2:18-19,2006年<http://utica.edu/academic/institutes/ecii/publications/ articles/51D6D996-90F2-F468-AC09C4E8071575AE.pdf>。
[MCA] ldapwiki.com, "Multiple-channel Authentication", August 2016, <https://www.ldapwiki.com/wiki/ Multiple-channel%20Authentication>.
[MCA]ldapwiki.com,“多渠道认证”,2016年8月<https://www.ldapwiki.com/wiki/ 多通道%20身份验证>。
[MSDN] Microsoft, "Integrated Windows Authentication with Negotiate", September 2011, <http://blogs.msdn.com/b/benjaminperkins/ archive/2011/09/14/iis-integrated-windows-authentication-with-negotiate.aspx>.
[MSDN]微软,“集成Windows身份验证与协商”,2011年9月<http://blogs.msdn.com/b/benjaminperkins/ archive/2011/09/14/iis集成了windows身份验证和协商.aspx>。
[NIST.800-63-2] National Institute of Standards and Technology (NIST), "Electronic Authentication Guideline", NIST Special Publication 800-63-2, DOI 10.6028/NIST.SP.800-63-2, August 2013, <http://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf>.
[NIST.800-63-2]国家标准与技术研究所(NIST),“电子认证指南”,NIST特别出版物800-63-2,DOI 10.6028/NIST.SP.800-63-2,2013年8月<http://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf>。
[OpenID.MODRNA] Connotte, J. and J. Bradley, "OpenID Connect MODRNA Authentication Profile 1.0", March 2017, <http://openid.net/specs/ openid-connect-modrna-authentication-1_0.html>.
[OpenID.MODRNA]Connote,J.和J.Bradley,“OpenID连接MODRNA身份验证配置文件1.0”,2017年3月<http://openid.net/specs/ openid-connect-modrna-authentication-1_0.html>。
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)", RFC 4211, DOI 10.17487/RFC4211, September 2005, <http://www.rfc-editor.org/info/rfc4211>.
[RFC4211]Schaad,J.“互联网X.509公钥基础设施证书请求消息格式(CRMF)”,RFC 4211,DOI 10.17487/RFC4211,2005年9月<http://www.rfc-editor.org/info/rfc4211>.
[RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and O. Ranen, "HOTP: An HMAC-Based One-Time Password Algorithm", RFC 4226, DOI 10.17487/RFC4226, December 2005, <http://www.rfc-editor.org/info/rfc4226>.
[RFC4226]M'Raihi,D.,Bellare,M.,Hoornaert,F.,Naccache,D.,和O.Ranen,“HOTP:基于HMAC的一次性密码算法”,RFC 4226,DOI 10.17487/RFC4226,2005年12月<http://www.rfc-editor.org/info/rfc4226>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>.
[RFC4949]Shirey,R.,“互联网安全词汇表,第2版”,FYI 36,RFC 4949,DOI 10.17487/RFC4949,2007年8月<http://www.rfc-editor.org/info/rfc4949>.
[RFC6238] M'Raihi, D., Machani, S., Pei, M., and J. Rydell, "TOTP: Time-Based One-Time Password Algorithm", RFC 6238, DOI 10.17487/RFC6238, May 2011, <http://www.rfc-editor.org/info/rfc6238>.
[RFC6238]M'Raihi,D.,Machani,S.,Pei,M.,和J.Rydell,“TOTP:基于时间的一次性密码算法”,RFC 6238,DOI 10.17487/RFC6238,2011年5月<http://www.rfc-editor.org/info/rfc6238>.
[RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0 Threat Model and Security Considerations", RFC 6819, DOI 10.17487/RFC6819, January 2013, <http://www.rfc-editor.org/info/rfc6819>.
[RFC6819]Lodderstet,T.,Ed.,McGloin,M.,和P.Hunt,“OAuth 2.0威胁模型和安全考虑”,RFC 6819,DOI 10.17487/RFC6819,2013年1月<http://www.rfc-editor.org/info/rfc6819>.
[SMS] 3GPP, "Technical realization of the Short Message Service (SMS)", 3GPP Technical Specification (TS) 03.40 Version 7.5.0 (2001-12), January 2002, <https://portal.3gpp.org/desktopmodules/Specifications/ SpecificationDetails.aspx?specificationId=141>.
[SMS]3GPP,“短消息服务(SMS)的技术实现”,3GPP技术规范(TS)03.40版本7.5.0(2001-12),2002年1月<https://portal.3gpp.org/desktopmodules/Specifications/ SpecificationDetails.aspx?specificationId=141>。
[W3C.REC-geolocation-API-20161108] Popescu, A., "Geolocation API Specification 2nd Edition", World Wide Web Consortium Recommendation REC-geolocation-API-20161108, November 2016, <https://www.w3.org/TR/2016/ REC-geolocation-API-20161108>.
[W3C.REC-geolocation-API-20161108]Popescu,A.,“地理定位API规范第二版”,万维网联盟建议REC-geolocation-API-20161108,2016年11月<https://www.w3.org/TR/2016/ REC-geolocation-API-20161108>。
[W3C.WD-webauthn-20170216] Bharadwaj, V., Le Van Gong, H., Balfanz, D., Czeskis, A., Birgisson, A., Hodges, J., Jones, M., Lindemann, R., and J. Jones, "Web Authentication: An API for accessing Scoped Credentials", World Wide Web Consortium Working Draft WD-webauthn-20170216, February 2017, <http://www.w3.org/TR/2017/WD-webauthn-20170216/>.
[W3C.WD-webauthn-20170216]Bharadwaj,V.,Le Van Gong,H.,Balfanz,D.,Czeskis,A.,Birgisson,A.,Hodges,J.,Jones,M.,Lindemann,R.,和J.Jones,“网络认证:访问范围凭证的API”,万维网联盟工作草案WD-webauthn-20170216,2017年2月<http://www.w3.org/TR/2017/WD-webauthn-20170216/>.
In some cases, the "amr" claim value returned may contain a single Authentication Method Reference value. For example, the following "amr" claim value indicates that the authentication performed used an iris scan biometric:
在某些情况下,返回的“amr”声明值可能包含单个身份验证方法参考值。例如,以下“amr”声明值表示所执行的身份验证使用虹膜扫描生物测定法:
"amr": ["iris"]
"amr": ["iris"]
In other cases, the "amr" claim value returned may contain multiple Authentication Method Reference values. For example, the following "amr" claim value indicates that the authentication performed used a password and knowledge-based authentication:
在其他情况下,返回的“amr”声明值可能包含多个身份验证方法参考值。例如,以下“amr”声明值表示执行的身份验证使用了密码和基于知识的身份验证:
"amr": ["pwd", "kba"]
"amr": ["pwd", "kba"]
Acknowledgements
致谢
Caleb Baker participated in specifying the original set of "amr" values. Jari Arkko, John Bradley, Ben Campbell, Brian Campbell, William Denniss, Linda Dunbar, Stephen Farrell, Paul Kyzivat, Elaine Newton, James Manger, Catherine Meadows, Alexey Melnikov, Kathleen Moriarty, Nat Sakimura, and Mike Schwartz provided reviews of the specification.
Caleb Baker参与指定原始的“amr”值集。Jari Arkko、John Bradley、Ben Campbell、Brian Campbell、William Denniss、Linda Dunbar、Stephen Farrell、Paul Kyzivat、Elaine Newton、James Manger、Catherine Meadows、Alexey Melnikov、Kathleen Moriarty、Nat Sakimura和Mike Schwartz对规范进行了评审。
Authors' Addresses
作者地址
Michael B. Jones Microsoft
迈克尔·琼斯微软公司
Email: mbj@microsoft.com URI: http://self-issued.info/
Email: mbj@microsoft.com URI: http://self-issued.info/
Phil Hunt Oracle
菲尔·亨特神谕
Email: phil.hunt@yahoo.com
Email: phil.hunt@yahoo.com
Anthony Nadalin Microsoft
安东尼·纳达林微软
Email: tonynad@microsoft.com
Email: tonynad@microsoft.com