RFC 6238, "TOTP: Time-Based One-Time Password Algorithm", May 2011Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec
Errata ID: 4249
Reported By: David Woodhouse
Date Reported: 2015-01-30
Section 4.2 says:
The provisioning flow is out of scope of this document; refer to [RFC6030] for such provisioning container specifications.
It's insufficient to simply refer to RFC6030 here. See RFC6030 §4.3.4 where it states that the precise semantics of fields such as the <Suite> element are defined according to the algorithm profile. It does provide in §10 the definitions for HOTP and PIN algorithms — but it doesn't give them for TOTP because the standardisation of TOTP came later.
So *someone* needs to tell us what strings to put in the <Suite> element to indicate SHA1/SHA256/SHA512 etc. Either an update to RFC6030, or I would have thought it was better done with a section in RFC6238... which is missing.
Am I missing something?