[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Further comments on WSS 1.1 Core
Here are some further comments on the WSS 1.1 Core CD document[1]. Gudge [1] http://www.oasis-open.org/committees/download.php/13397/wss-v1.1-spec-pr -SOAPMessageSecurity-01.pdf 1. The paragraph at lines 564-571 does not cover the SOAP 1.2 case where a wsse:Security header omits the soap12:role attribute and another has a soap12:role attribute with the value http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver. Text should be added to cover this case. 2. Lines 620-621 - The allowed values for SOAP 1.2 are 1,0,true and false. 3. Line 831 - The TokenType attribute has the wsse: prefix. I believe it should be wsse11: 4. Line 912 - There should be some text that precedes this paragraph; e.g. "In this version of the specification,". Otherwise it seems weird to talk about how to use ValueType and then say that it's not to be used. 5. Line 938 - I have no idea what a 'bifier' is... Should it be 'KeyIdentifier'? 6. Line 978 - I don't believe the text in the Description column of the table is sufficient to tell me how to compute the thumbprint of an XML based token because it doesn't tell me how to canonicalize the XML. Is this text supposed to *only* apply to BinarySecurityTokens? If so, it should state that restriction. In any case, I think it worth the spec noting that token profiles SHOULD define the token-specific algorithm for producing the thumbprint value as there may be interpretation/matching issues. 7. Line 1251-1253 - The parenthetical statement implies that the URI for the STR-Transform is http://docs.oasisopen.org/wss/2005/xx/oasis-2005xx-wss-soap-message-secu rity-1.1#STR-Transform and I think it should be http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-soap-message-secu rity-1.0#STR-Transform 8. Lines 1576-1578 recommend that xenc:EncryptedKey always contain an xenc:ReferenceList. In the case where the EncyptedKey is used for signature *and* encryption this makes it impossible to figure out 'who's on first' (i.e. whether signature or encryption occurred first). I propose that we change lines 1576-1578 to read; "This sub-element MAY contain a manifest, that is, an <xenc:ReferenceList> element, that lists the portions to be decrypted with this key. The manifest MAY appear outside the xenc:EncryptedKey provided that the corresponding xenc:EncryptedData elements contain xenc:KeyInfo elements that reference the EncryptedKey." 9. Lines 1628-1629 - Why aren't s11:Header and s12:Header listed explicitly as elements that MUST NOT be encrypted? 10. Lines 1697-1702 list s12:mustUnderstand, s11:mustUnderstant, s12:role and s11:actor but not the s12:relay attribute. Propose to add the following text after line 1702; "If the referencing <wsse:Security> header block defines a value for the S12:relay attribute, that attribute and associated value MUST be copied to the <wsse11:EncryptedHeader> element." 11. Lines 1764-1765 are inconsistent with Line 1774. The former says SHOULD be UTC the latter says MUST be UTC. 12. Line 1807 - The wsu:MessageExpired fault code is NOT defined anywhere in this spec.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]