> Hello, > > I would have a question about shared sercrets used as authentication > code in XKRSS requests and responses. > In §6.1.1, it is said that in case of registration of client-generated > key pair, Alice gets the "024837" code from server to authenticate her > request (the code is used in <KeyBindingAuthentication>). That's ok for me. > In §6.1.2, it is said that in case of registration of service-generated > key pair, Bob gets the "3N9CJ-K4JKS-04JWF-0934J-SR09JW-IK4" code from > server and that this code is used (in a key derived form) by server to > encrypt private key value (and so by client to decrypt it). Is this code > also used for client request authentication > (<KeyBindingAuthentication>) before private key generation ? Or, do we > have to use two different codes ? > There is some advice in section 10.4 in relation to the use of shared secrets. The spec does not disallow you using the same string for all purposes - we found this convenient during interop. A more secure configuration would use each secret once only. > When looking at appendix C, > - in C.1.2, for Bob registration authentication key, authentication > data is "3N9CJ-JK4JK-S04JF-W0934-JSR09-JWIK4" > - in C.1.3, for Bob registration private key encryption, > authentication data is "3N9CJ-K4JKS-04JWF-0934J-SR09JW-IK4" > It's nearly the same, but not the same (one character difference). > Is it voluntary ? > While I didn't select them, I was consciouses about the similarity of the two strings throughout. This alone does not make them invalid of course, provided that the corresponding keys differ correspondingly. Regards TommyReceived on Monday, 9 May 2005 21:05:40 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:24 GMT