[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] using HMAC-SHA1 as for SSO (SAML)
On 3/8/12 8:28 PM, "swu@axolotl.com" <swu@axolotl.com> wrote: > >We have a customer who wants to use >HMAC-SHA1 (with a shared symmetric key) as digital signature vs our >standard >RSA-SHA1, we are trying to see if SAML spec allows it. It allows anything XML Signature allows, essentially. > > >Obviously HMAC-SHA1 is faster but since >I am not a crypto person, it is hard for me to tell the customer if there >is any security vulnerability at the crypto level. We know it provide >integrity, some level of authentication, can it provide non reputation >for auditing purpose ? I would assume not, since obviously the RP has the same key. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]