[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: 2 comments on WSS 1.0 spec now balloting at OASIS
Comment #1 Document: Web Services Security: SOAP Message Security (WS-Security) Comment: Although general guidance is provided regarding XML security tokens, WSS 1.0 does not include a security assertion markup language (SAML) assertion/token profile. This is a serious omission given the critical role of SAML in so many federated identity solutions now being deployed. The omission has forced a number of commercial web services security products to create their own SAML-SOAP bindings (or use the one promoted by the Liberty Alliance) in order to meet customer demand. Recommendation: Include a SAML 1.1 profile in the next WSS version as early as possible. Comment #2 Document: Web Services Security: Username Token Profile Comment: The UserName Token element (/wsse:UsernameToken) does not provide any means of qualifying the user name to indicate its type or domain. Optional sub-elements should be defined for type (with several types pre-defined including e-mail address and Microsoft SAM account name) and domain (DNS or NT/AD). Without such qualifiers a <Username> value can often be ambiguous or non-unique. For an example of XML type and domain qualifiers, refer to the Username schema in the security assertion markup language (SAML). Recommendation: Add optional qualifiers to UsernameToken in the next WSS version. Michael McCormick System Architect Wells Fargo Services Company 255 Second Ave. South MAC N9301-027 Minneapolis MN 55479 > * 612-667-9227 (voice) > * 612-590-1437 (cell) * 612-621-1318 (pager) > * 612-667-7642 (fax) > * mailto://michael.mccormick@wellsfargo.com > * m.mccormick@acm.org "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS FARGO"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]