Username token profile comments

[<Frederick.Hirsch@nokia.com>]

I have a couple of comments on the Username Token Profile, draft 3, 30 June 2003.

1. Why is it recommended that both nonce and creation timestamp be used [122] instead of one or the other?

Does recommending both put a burden on implementations, especially with regard to timestamp management and
possible synchronization? Isn't a nonce adequate for replay attacks when chosen? Is there rationale that should
be stated?

2. Is the assumption that the nonce is generated by one party and used by the other correct? Or is
it just a random value from the sender? If the receiver first sends the nonce to the requestor and then
it is used in the token, then this needs to be clear. 

3. More generally, does this document need any processing rules stated?

4. How is Created timestamp defined [174]? Is it wsu:Timestamp or some other schema dataType?

Some typos:
99s;information..;information.;
118s;SHA-1 has ;SHA-1 hash ;
183 & 201 update wsse, wsu namespaces in examples to match [87] Add wsu to [87]?


regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones