W3C home > Mailing lists > Public > www-xkms@w3.org > November 2004

Confusing 8.1

From: Guillermo Álvaro Rey <alvarorg@cs.tcd.ie>
Date: Fri, 26 Nov 2004 17:44:03 +0000
To: XKMS WG <www-xkms@w3.org>
Message-Id: <1101491041.8698.230.camel@lamb.dsg.cs.tcd.ie>
Hi all,

I find the "Use of Limited-Use Shared Secret Data" section (8.1) a bit
confusing.

In p[329] there is a set of four "rules" regarding the conversion of
strings of characters. At the beginning I thought those rules were
related to the "generation" of shared secrets. However, after some talk
I reckon that those rules may be needed to process the strings before
the MACing. The absence of a clear "MUST" in the sentence before those
rules makes me hesitate, as it is only stated that "it is most
convenient".

 - Would it be possible to define a string "secRET" or "se   cret" as a
shared secret? (preventing a client from converting those strings to
"secret" before sending)

 - Should a server accept a string "secRET" or "se   cret" if the shared
secret was "secret"?

Moreover, what does "all shared string values are encoded as XML" mean?
Should a space be coded as %20? ...and then removed?

And in p[334] there is a mention to the lowest significant bits of a MAC
output. If 4 bytes of keying material are needed and the output's length
is 20 bytes, should the last four be used?

...

Plus, talking to Stephen, I realised that a non-text shared secret could
be possible, without the need of the MACing. This kind of authentication
to be possibly tested in the optional bunch...

Some clarification would be appreciated so proper tests could be defined
regarding this section :)

Cheers,
 - -Guillermo
Received on Friday, 26 November 2004 17:44:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:23 GMT