W3C home > Mailing lists > Public > www-xkms@w3.org > March 2005

HMAC key authentication and shared secret key hints

From: Jose Kahan <jose.kahan@w3.org>
Date: Thu, 3 Mar 2005 17:20:08 +0100
To: www-xkms@w3.org
Message-ID: <20050303162008.GA4610@inrialpes.fr>
(summarizing this issue reported by Tommy for archival purposes)

The XKRSS message defines the KeyBindingAuthentication element that lets
a server authenticate the key binding element within an XKRSS request.
The content of this element has a ds:Signature calculated with an HMAC
using a preshared secret.

The XKMS CR specification doesn't define how to identify the
preshared secret. One developer did it using ds:KeyInfo.Keyname, while
another one used UseKeyWith with a request can notify the server which
shared secret it used. One implementation used ds:Keyinfo.Keyname where
another one used UseKeyWith with certain values to make it work.

In order to avoid interoperability problems, it would be good if the
XKMS recommended how to do this. Tommy's proposal to use  ds:KeyInfo.Keyname
for this  makes sense to me.

-jose

Received on Thursday, 3 March 2005 16:37:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:24 GMT