[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [wss] HMAC Key Derivation in UsernameToken Profile
> An XML Digital Signature doesn't mix the shared secret with 'salt' > information before an hmac-sha1 authentication code is generated. That > is, the key is the same as the utf8 encoded password. I don't see where XML DSIG says anything at all about the HMAC shared secret. Nevertheless, it has also been my understanding that all that's needed is the shared secret. I suggest that we say something like "if the HMAC key is to be derived from more than just the password, than implementations MUST convey that information along with the initial shared secret." I don't think it's right for us to outlaw any key derivation. That kind of profiling should be left to WS-I. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]