OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: WS-I BSP WG comments - Part 1


Please find below comments on the WS-Security specifications from the
WS-I Basic Security Profile WG.  Please contact me if you have any
difficulty interpreting our comments.

It is possible that we will provide additional comments but we wanted to
provide these comments as early as possible.

/paulc
Chair, WS-I BSP WG

Paul Cotton, Microsoft Canada 
17 Eleanor Drive, Nepean, Ontario K2E 6A3 
Tel: (613) 225-5445 Fax: (425) 936-7329 
mailto:pcotton@microsoft.com

WSS SOAP Message Security 
Comments on Working Draft 17 dated 27 Aug 2003

*	Line 416 - 'MAY' should be 'can'.
*	Line 422 - The "SHOULD" phrase is confusing, just simply say
that key-bearing element SHOULD be ordered to precede the key-using
element
*	Line 459 - We suggest that 'SHALL be' is replaced with 'are'.
*	Line 599 - Typo - "reference".
*	Line 613, 615 - Grammar of sentence confusing, including use of
"SHALL".
*	Line 832, 833 - Even though RFC 2119 does not require
capitalization, we suggest that 'should' needs to be 'SHOULD' and it
needs to say that order of elements represents order of operations.
*	Line 838-839 - Awkward wording, and questionable use of "SHOULD"
and "MUST"
*	Line 937-938 (Section 8.3) - It is not clear in the document
what are 'x' and 'y'. Are they placeholders, if not they should probably
be in quotes.
*	Section 13 - Is section 13 supposed to be non-normative? If that
is indeed the case, there should be no SHOULD/MAY/MUST in this section.

WSS Username Token Profile
Comments on Working Draft 4 dated 11 Aug 2003.

*	Lines 32, 33, 34, 39 (Table of Contents) - The section numbers
in those lines are out of order. 
*	Line 67 (Section 2.1) - There is a reference to SOAP 1.2
namespace. However, there seem to be some old URI in the table. 
*	Line 107 - Typo, the word 'security' has been misspelled as
'securty'.
*	Lines 155-156 - It is recommended that the element is passed
when a secure transport is being used. It is not clear what 'secure
transport' means. Does this include SOAP-element level encryption. 
*	Line 170 - This should be a 'MUST' instead of the 'should', if
you are interested in detecting replay attacks. 
*	Line 236 - The recommendation should reference the security
consideration in WSS SOAP Message Security document, section 13, Line
1475, since it is a better description of using signatures to prevent
replay attacks. 
*	General - The core document says that each token profile MUST
define the value of QName. This document does not define the value of
the QName. 
*	General - The Username token profile does not address
KeyIdenfier and KeyName. The profile should either state that these are
not used or define their meaning. Token profile should define their
default values. 
*	General - Some of the references are not used in this document.
It will help if the normative one are in a separate section.

WSS X.509 Certificate Token Profile
Comments on Working Draft 10 dated 19 Aug 2003.

*	Line 182 - [] should be used consistently and reference like
WS-Security should not be used when also used in the text. E.g. line
182, blue, no bracket.
*	Line 221 - Misuse of capital 'MAY'.
*	Line 224 - Misuse of capital 'MAY'.
*	Line 230 - Subsection starts after a ':'.
*	Line 237 - example should be explained.
*	Line 281/318 - The document should explain the meaning of core
reference. Probably should be a wsse:Reference.
*	Line 398 - Error code section is inconsistent about references.
*	Section 3.6 - is not normative.
*	Line 411 - We don't understand the meaning of this sentence. 
  



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]