[xmlsec] Re: Newbie question on HMAC signature

Aleksey Sanin aleksey at aleksey.com
Tue Oct 12 20:22:30 PDT 2004

Signing documents with HMAC does not make much sense because
both sender and verifier have to have the key in order to be
able to sign/verify it. But if you have HMAC key then you can
not only verify but also sign. The whole purpose of the signature
is to proove that the key owner and only key owner have signed
document. And as you can see HMAC algorithm does not work well
for this.

Now to your question. The key can be specified by key's name
in <dsig:KeyName> child of <dsig:KeyInfo> element. Then you
will need to create key in xmlsec, set the name and add key
to keys manager.


Monica Lau wrote:
> Hi Aleksey,
> Thanks for all your help and your quick responses!  I really appreciate 
> it.  I have a newbie, general question below that I hope you can help me 
> with (if you want me to cc it to the mailing list, pls let me know):    
> As you know, I'm signing an xml document using hmac-sha1.  I was just 
> wondering what do people normally fill in for the <keyinfo> element?  I 
> assume that you don't incorporate this <keyinfo> element into the 
> document because you can't/shouldn't store the secret in it.  Or is 
> there some way to incorporate this information in the xml document 
> without compromising security?  I don't believe so, but I'm fairly new 
> to security... 
> Thanks for your help,
> Monica
> ------------------------------------------------------------------------
> Do you Yahoo!?
> vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!

More information about the xmlsec mailing list