[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] HMAC Key Derivation in UsernameToken Profile
> An XML Digital Signature doesn't mix the shared secret with 'salt'
> information before an hmac-sha1 authentication code is generated. That
> is, the key is the same as the utf8 encoded password.
I don't see where XML DSIG says anything at all about the HMAC shared
secret. Nevertheless, it has also been my understanding that all that's
needed is the shared secret.
I suggest that we say something like "if the HMAC key is to be
derived from more than just the password, than implementations
MUST convey that information along with the initial shared secret."
I don't think it's right for us to outlaw any key derivation. That
kind of profiling should be left to WS-I.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]