- From: Guillermo Álvaro Rey <alvarorg@cs.tcd.ie>
- Date: Fri, 26 Nov 2004 17:44:03 +0000
- To: XKMS WG <www-xkms@w3.org>
- Message-Id: <1101491041.8698.230.camel@lamb.dsg.cs.tcd.ie>
Hi all, I find the "Use of Limited-Use Shared Secret Data" section (8.1) a bit confusing. In p[329] there is a set of four "rules" regarding the conversion of strings of characters. At the beginning I thought those rules were related to the "generation" of shared secrets. However, after some talk I reckon that those rules may be needed to process the strings before the MACing. The absence of a clear "MUST" in the sentence before those rules makes me hesitate, as it is only stated that "it is most convenient". - Would it be possible to define a string "secRET" or "se cret" as a shared secret? (preventing a client from converting those strings to "secret" before sending) - Should a server accept a string "secRET" or "se cret" if the shared secret was "secret"? Moreover, what does "all shared string values are encoded as XML" mean? Should a space be coded as %20? ...and then removed? And in p[334] there is a mention to the lowest significant bits of a MAC output. If 4 bytes of keying material are needed and the output's length is 20 bytes, should the last four be used? ... Plus, talking to Stephen, I realised that a non-text shared secret could be possible, without the need of the MACing. This kind of authentication to be possibly tested in the optional bunch... Some clarification would be appreciated so proper tests could be defined regarding this section :) Cheers, - -Guillermo
Received on Friday, 26 November 2004 17:44:06 UTC