2 comments on WSS 1.0 spec now balloting at OASIS

[Michael.Mccormick@wellsfargo.com]

Comment #1
Document: Web Services Security: SOAP Message Security (WS-Security)
Comment: Although general guidance is provided regarding XML security
tokens, WSS 1.0 does not include a security assertion markup language (SAML)
assertion/token profile.  This is a serious omission given the critical role
of SAML in so many federated identity solutions now being deployed.  The
omission has forced a number of commercial web services security products to
create their own SAML-SOAP bindings (or use the one promoted by the Liberty
Alliance) in order to meet customer demand.
Recommendation: Include a SAML 1.1 profile in the next WSS version as early
as possible.

Comment #2
Document: Web Services Security: Username Token Profile
Comment: The UserName Token element (/wsse:UsernameToken) does not provide
any means of qualifying the user name to indicate its type or domain.
Optional sub-elements should be defined for type (with several types
pre-defined including e-mail address and Microsoft SAM account name) and
domain (DNS or NT/AD).  Without such qualifiers a <Username> value can often
be ambiguous or non-unique.  For an example of XML type and domain
qualifiers, refer to the Username schema in the security assertion markup
language (SAML).
Recommendation: Add optional qualifiers to UsernameToken in the next WSS
version.

Michael McCormick
System Architect
Wells Fargo Services Company
255 Second Ave. South
MAC N9301-027
Minneapolis MN 55479
> *  612-667-9227 (voice)
> *  612-590-1437 (cell)
* 612-621-1318 (pager)
> *   612-667-7642 (fax)
> *  mailto://michael.mccormick@wellsfargo.com
> *  m.mccormick@acm.org
"THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
FARGO"