[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WS-I BSP WG comments - Part 1
Please find below comments on the WS-Security specifications from the WS-I Basic Security Profile WG. Please contact me if you have any difficulty interpreting our comments. It is possible that we will provide additional comments but we wanted to provide these comments as early as possible. /paulc Chair, WS-I BSP WG Paul Cotton, Microsoft Canada 17 Eleanor Drive, Nepean, Ontario K2E 6A3 Tel: (613) 225-5445 Fax: (425) 936-7329 mailto:pcotton@microsoft.com WSS SOAP Message Security Comments on Working Draft 17 dated 27 Aug 2003 * Line 416 - 'MAY' should be 'can'. * Line 422 - The "SHOULD" phrase is confusing, just simply say that key-bearing element SHOULD be ordered to precede the key-using element * Line 459 - We suggest that 'SHALL be' is replaced with 'are'. * Line 599 - Typo - "reference". * Line 613, 615 - Grammar of sentence confusing, including use of "SHALL". * Line 832, 833 - Even though RFC 2119 does not require capitalization, we suggest that 'should' needs to be 'SHOULD' and it needs to say that order of elements represents order of operations. * Line 838-839 - Awkward wording, and questionable use of "SHOULD" and "MUST" * Line 937-938 (Section 8.3) - It is not clear in the document what are 'x' and 'y'. Are they placeholders, if not they should probably be in quotes. * Section 13 - Is section 13 supposed to be non-normative? If that is indeed the case, there should be no SHOULD/MAY/MUST in this section. WSS Username Token Profile Comments on Working Draft 4 dated 11 Aug 2003. * Lines 32, 33, 34, 39 (Table of Contents) - The section numbers in those lines are out of order. * Line 67 (Section 2.1) - There is a reference to SOAP 1.2 namespace. However, there seem to be some old URI in the table. * Line 107 - Typo, the word 'security' has been misspelled as 'securty'. * Lines 155-156 - It is recommended that the element is passed when a secure transport is being used. It is not clear what 'secure transport' means. Does this include SOAP-element level encryption. * Line 170 - This should be a 'MUST' instead of the 'should', if you are interested in detecting replay attacks. * Line 236 - The recommendation should reference the security consideration in WSS SOAP Message Security document, section 13, Line 1475, since it is a better description of using signatures to prevent replay attacks. * General - The core document says that each token profile MUST define the value of QName. This document does not define the value of the QName. * General - The Username token profile does not address KeyIdenfier and KeyName. The profile should either state that these are not used or define their meaning. Token profile should define their default values. * General - Some of the references are not used in this document. It will help if the normative one are in a separate section. WSS X.509 Certificate Token Profile Comments on Working Draft 10 dated 19 Aug 2003. * Line 182 - [] should be used consistently and reference like WS-Security should not be used when also used in the text. E.g. line 182, blue, no bracket. * Line 221 - Misuse of capital 'MAY'. * Line 224 - Misuse of capital 'MAY'. * Line 230 - Subsection starts after a ':'. * Line 237 - example should be explained. * Line 281/318 - The document should explain the meaning of core reference. Probably should be a wsse:Reference. * Line 398 - Error code section is inconsistent about references. * Section 3.6 - is not normative. * Line 411 - We don't understand the meaning of this sentence.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]