[wss] Web Services Security Issues List - Rev 3

[John Shewchuk <johnshew@microsoft.com>]

The attached issues list was updated to include 1) the current status
for existing issues and 2) new procedural work items and open technical
issues identified during our discussions on Sept 24th and in subsequent
discussions on email.

Also the resolution column now includes links to the discussion list.
In the future, as needed, we can include per issue detail sections in
the document.

As always, if there are issues being discussed that need to be tracked
but were
omitted please let me know.

Regards,
-John

Title: WSS Issues

WSS ID	Type	Status	Issue	Resolution	Owner(s)
1	Technical	Open	Can we have alternative mechanisms of signature and encryption other than XML DSIG and XML Encryption?	Philip said this issue arose around XML Signature with PK7.  The resolution should be researched and a note should be written. Zahid volunteered for volunteer that note.	Zahid Ahmed
2	Procedural	Closed	Clarify the IP status and licensing terms for the submissions to the working group	Closed on 9/24/02 - http://lists.oasis-open.org/archives/wss/200210/msg00011.html.  References Prateek Mishra's posting.  http://lists.oasis-open.org/archives/wss/200208/msg00011.html.	Closed
3	Technical	Open	Proposal to Label Tokens to Indicate Their Semantics	http://lists.oasis-open.org/archives/wss/200209/msg00036.html.  There are various active threads underway.	Hal Lockhart
4	Technical	Proposed resolution	Why is the token in the header, and not a child of KeyInfo?	Membership should review the merged documents and compare to the four security profile documents.	TC
5	Technical	Proposed resolution	Within the KeyInfo, why not use a ds:RetrievalMethod?	Phillip Hallam-Baker and Anthony Nadalin to propose solution.
6	Investigation	Open	Will the authors of the roadmap submit it?	Both footnotes have been dropped and will be added back. Chair to send email to the list request clarification.	Chair
7	Technical	Closed	Does WS-Security assume SOAP 1.1?	Per Sept 4 minutes – it will support all versions of SOAP	Closed
8	Investigation	Closed	Determine interest in a Use case document	Formed a sub-committee, led by Erik Herring	Closed
9	Investigation	Open	Approach authors to submit the App Note to the TC	Chris and Kelvin to talk to respective company lawyers.	Chair
10	Investigation	Open	Investigate interop fest at some later time	Postponed pending more feedback on documents.	Chair
11	Investigation	Open	Pick date for OASIS submission date after initial drafts available	Covered by issue 10.	Chair
12	Procedural	Closed	Remove all references to ws-routing and such	References were removed.	Closed
13	Technical	Open	Element ordering in the Security tag.	http://lists.oasis-open.org/archives/wss/200209/msg00065.html	Open
14	Technical	Open	State that the recipient SHOULD authenticate the assertion issuer and ensure that the assertion has not been modified	http://lists.oasis-open.org/archives/wss/200210/msg00021.html	Prateek Mishra
15	Technical	Open	Core: Spec should indicate that it is based on the SOAP messaging model.	http://lists.oasis-open.org/archives/wss/200209/msg00094.html	Prateek Mishra
16	Technical	Open	Core: The spec should indicate that nonce and / or timestamp elements should be used to prevent replay.	http://lists.oasis-open.org/archives/wss/200209/msg00094.html	Prateek Mishra
17	Technical	Open	Core: Should SOAP nodes acting in a particular role create or update the appropriate timestamp element.	http://lists.oasis-open.org/archives/wss/200209/msg00094.html	Prateek Mishra
18	Technical	Open	Core: No attribute or reference to the senders time.	http://lists.oasis-open.org/archives/wss/200209/msg00094.html	Prateek Mishra
19	Technical	Open	Core: Why is it necessary to special case a Username/Password POP token?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
20	Technical	Open	Core: Define security token propagation.	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
21	Technical	Open	Core: Update definition of a security token to reflect role in defining key or broaden definition.	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
22	Technical	Open	Core: Should the spec preclude security tokens whose purpose is other than to convey or bind a key to an identity or entity?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
23	Technical	Open	Core: Make Proof-of-Possession a fundamental type or relationship within [sic] within the ws-security model?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
24	Technical	Open	Core: Why is it necessary to treat XML Signature elements as other than security tokens?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
25	Technical	Open	Core: How can a Signature element occurring outside of the header be referenced?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
26	Technical	Open	Core: What does it mean to process a BinarySecurityToken?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
27	Technical	Open	Core: Reference element should have an @any to allow for attribute extensibility	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
28	Technical	Open	SAML Binding: Include the use of the URI attribute (on SecurityTokenReference) from the SS TC submission	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo
29	Technical	Open	SAML Binding: Should there be a reference form that carries what amounts to a SAML assertion Query such that the sender does not need to have acquired the assertion (to be able to apply it to a request)?	http://lists.oasis-open.org/archives/wss/200209/msg00095.html	Ronald Monzillo