Signing documents with HMAC does not make much sense because both sender and verifier have to have the key in order to be able to sign/verify it. But if you have HMAC key then you can not only verify but also sign. The whole purpose of the signature is to proove that the key owner and only key owner have signed document. And as you can see HMAC algorithm does not work well for this.
Now to your question. The key can be specified by key's name in <dsig:KeyName> child of <dsig:KeyInfo> element. Then you will need to create key in xmlsec, set the name and add key to keys manager.
Aleksey
Monica Lau wrote:
Hi Aleksey,
Thanks for all your help and your quick responses! I really appreciate it. I have a newbie, general question below that I hope you can help me with (if you want me to cc it to the mailing list, pls let me know): As you know, I'm signing an xml document using hmac-sha1. I was just wondering what do people normally fill in for the <keyinfo> element? I assume that you don't incorporate this <keyinfo> element into the document because you can't/shouldn't store the secret in it. Or is there some way to incorporate this information in the xml document without compromising security? I don't believe so, but I'm fairly new to security... Thanks for your help,
Monica
------------------------------------------------------------------------ Do you Yahoo!? vote.yahoo.com <http://vote.yahoo.com> - Register online to vote today!
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
