From c7a234aa5fae9f72a80c9c2f20cb94914632fb92 Mon Sep 17 00:00:00 2001 From: "mark a. foltz" Date: Tue, 20 Aug 2019 16:32:02 -0700 Subject: [PATCH] Make auth-initiation-token mandatory. --- index.bs | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index 6a658dc..8c3a8f7 100644 --- a/index.bs +++ b/index.bs @@ -344,8 +344,6 @@ Issue: Include cross references to the specs for these hash functions. value. This signals to the listening agent that it should connect to the advertising agent to discover updated metadata. -The advertising agent should add an additional field to the TXT record: - : at :: An alphanumeric, unguessable token consisting of characters from the set `[A-Za-z0-9+/]`. @@ -531,8 +529,8 @@ are numeric and scanning a QR-code. Devices with non-zero PSK ease of input mus support the numeric PSK input method. Any authentication method may require an `auth-initation-token` before showing a -PSK to the user or requesting PSK input from the user. If an [=advertising -agent=] has the `at` field in its mDNS TXT record, it must be used as the +PSK to the user or requesting PSK input from the user. For an [=advertising +agent=], the `at` field in its mDNS TXT record must be used as the `auth-initation-token` in the the first authentication message sent to or from that agent. Agents should discard any authentication message whose `auth-initation-token` is set and does not match the `at` provided by the @@ -2138,7 +2136,7 @@ Protocol agents, because a misconfigured firewall or NAT could expose a LAN-connected agent to the broader Internet. Open Screen Protocol agents should be secure against attack from any Internet host. -Advertising agents should set the `at` field in their mDNS TXT record to protect +Advertising agents must set the `at` field in their mDNS TXT record to protect themselves from off-LAN attempts to initiate [[#authentication]], which result in user annoyance (display or input of PSK) and potential brute force attacks against the PSK.