From 652ff2c5228fbf4d61375b5ddf0e7f1ed05d7752 Mon Sep 17 00:00:00 2001 From: "mark a. foltz" Date: Tue, 20 Aug 2019 16:25:48 -0700 Subject: [PATCH] Replace pw with at --- index.bs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/index.bs b/index.bs index 29024df..6a658dc 100644 --- a/index.bs +++ b/index.bs @@ -346,12 +346,12 @@ Issue: Include cross references to the specs for these hash functions. The advertising agent should add an additional field to the TXT record: -: pw +: at :: An alphanumeric, unguessable token consisting of characters from the set `[A-Za-z0-9+/]`. -Note: `pw` prevents off-LAN parties from attempting authentication; see -[[#remote-active-mitigations]]. `pw` should have at least 32 bits of true +Note: `at` prevents off-LAN parties from attempting authentication; see +[[#remote-active-mitigations]]. `at` should have at least 32 bits of true entropy to make brute force attacks impractical. Issue: Add examples of sample mDNS records. @@ -532,10 +532,10 @@ support the numeric PSK input method. Any authentication method may require an `auth-initation-token` before showing a PSK to the user or requesting PSK input from the user. If an [=advertising -agent=] has the `pw` field in its mDNS TXT record, it must be used as the +agent=] has the `at` field in its mDNS TXT record, it must be used as the `auth-initation-token` in the the first authentication message sent to or from that agent. Agents should discard any authentication message whose -`auth-initation-token` is set and does not match the `pw` provided by the +`auth-initation-token` is set and does not match the `at` provided by the advertising agent. Authentication with SPAKE2 {#authentication-with-spake2} @@ -2138,7 +2138,7 @@ Protocol agents, because a misconfigured firewall or NAT could expose a LAN-connected agent to the broader Internet. Open Screen Protocol agents should be secure against attack from any Internet host. -Advertising agents should set the `pw` field in their mDNS TXT record to protect +Advertising agents should set the `at` field in their mDNS TXT record to protect themselves from off-LAN attempts to initiate [[#authentication]], which result in user annoyance (display or input of PSK) and potential brute force attacks against the PSK.