[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] HMAC Key Derivation in UsernameToken Profile
Rich, I agree with you on this. There should be some sort of requirement that key derivation information be conveyed. This should be a MUST and not a SHOULD as you mention. Without this sentence requirement (or equivalent) we are in essence creating the opportunity for two separate implementations of WS-Security+UsernameToken to fully support the specifications, yet be completely unusable together. What do others think about this issue? It is already causing some interop problems in the field as implementers must try and reverse engineer unspecified key-derivation algorithms in order to get username tokens to work. Blake Dournaee Senior Security Architect Sarvega, Inc. http://www.sarvega.com/ -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Tuesday, December 16, 2003 4:35 PM To: Blake Dournaee Cc: wss@lists.oasis-open.org; speechu@sarvega.com Subject: Re: [wss] HMAC Key Derivation in UsernameToken Profile ... I suggest that we say something like "if the HMAC key is to be derived from more than just the password, than implementations MUST convey that information along with the initial shared secret." I don't think it's right for us to outlaw any key derivation. That kind of profiling should be left to WS-I. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup .php.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]