RE: [wss] HMAC Key Derivation in UsernameToken Profile

["Blake Dournaee" <blake@sarvega.com>]

Rich,

I agree with you on this. There should be some sort of requirement that
key derivation information be conveyed. This should be a MUST and not a
SHOULD as you mention.

Without this sentence requirement (or equivalent) we are in essence
creating the opportunity for two separate implementations of
WS-Security+UsernameToken to fully support the specifications, yet be
completely unusable together.

What do others think about this issue? It is already causing some
interop problems in the field as implementers must try and reverse
engineer unspecified key-derivation algorithms in order to get username
tokens to work.

Blake Dournaee
Senior Security Architect
Sarvega, Inc.
http://www.sarvega.com/

-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com] 
Sent: Tuesday, December 16, 2003 4:35 PM
To: Blake Dournaee
Cc: wss@lists.oasis-open.org; speechu@sarvega.com
Subject: Re: [wss] HMAC Key Derivation in UsernameToken Profile

...

I suggest that we say something like "if the HMAC key is to be
derived from more than just the password, than implementations
MUST convey that information along with the initial shared secret."
I don't think it's right for us to outlaw any key derivation.  That
kind of profiling should be left to WS-I.
        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview
http://www.datapower.com/xmldev/xmlsecurity.html


To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php.