If you just want to verify integrity then you don't need signature. A simple hash will do just fine.
Key name can not compromise security because it is not a key
but a reference to a key. Only the one who has the key can
get it using key name. I think you might want to read some
books about security and cryptography:
http://www.aleksey.com/xmlsec/related.html
I would recommend Bruce Schneier's "Applied Cryptography".Best, Aleksey
Monica Lau wrote:
Hi Aleksey,
>Signing documents with HMAC does not make much sense because
>both sender and verifier have to have the key in order to be
>able to sign/verify it. But if you have HMAC key then you can
>not only verify but also sign. The whole purpose of the signature
>is to proove that the key owner and only key owner have signed
>document. And as you can see HMAC algorithm does not work well
>for this.
Yes, I agree. So, with HMAC, all we can do is verify the integrity of the xml document. We won't be able to verify that it really came from the key owner. We should really change to using private/public key as this is the purpose of signatures.
>Now to your question. The key can be specified by key's name
>in child of element. Then you
>will need to create key in xmlsec, set the name and add key
>to keys manager.
Hmm..., if I specify the key in the <keyname>, wouldn't this compromise security? Someone sniffing the network can get a hold of the xml document and get a hold of the key. Maybe I'm not understanding HMAC correctly: There is a shared secret. The key is derived by hashing a shared secret. Does this key change per hash? So, putting this key in the xml document is ok because attackers cannot derive our shared secret from it. Is this correct? Hence, the receiver does not need to know the shared secret, just the key as specified in the <keyname>.
I've been trying to read some docs on HMAC, but the articles use the terms shared secret and shared key interchangely, and I don't believe they are the same.
Thanks,
Monica
------------------------------------------------------------------------ Do you Yahoo!? vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
