OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] using HMAC-SHA1 as for SSO (SAML)

On 3/8/12 8:28 PM, "swu@axolotl.com" <swu@axolotl.com> wrote:
>We have a customer who wants to use
>HMAC-SHA1 (with a shared symmetric key) as digital signature vs our
>RSA-SHA1, we are trying to see if SAML spec allows it.

It allows anything XML Signature allows, essentially.

>Obviously HMAC-SHA1 is faster but since
>I am not a crypto person, it is hard for me to tell the customer if there
>is any security vulnerability at the crypto level.  We know it provide
>integrity, some level of authentication, can it provide non reputation
>for auditing purpose ?

I would assume not, since obviously the RP has the same key.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]