Comments: Advanced Message Queuing Protocol (AMQP), Claims-based Securit

Hi AMQP-TC,

I was just reading through Working Draft 01 of the Advanced Message

Queuing Protocol (AMQP) Claims-based Security Version 1.0 and had a

couple of comments/questions. I hope you find this feedback useful.

Kind regards,

Lorenz Quack

* Section 2.2 says "Each AMQP container MUST provide a Claims-Based

Security Node [...]" shouldn't that be something like "Each AMQP

container conforming to this specification MUST provide a

Claims-Based Security Node [...]"?

* In section 4.1.1 it is not clear to me what the "audience" of a

token is. Could this be expanded?

* In section 4.1.2 it specifies the return codes 200, 400, and 500.

Is it really meant to be those specific codes or is it 2xx, 4xx,

and 5xx?

* Both request messages (4.1.1 and 4.2.1) have keys in lower case

with the exception of "Type" which is upper case. Is this on

purpose?

* I guess from the places where it talks about sending a refreshed

token in section 3 that it is okay to put the same token twice.

I think this should be mentioned explicitly.

* Am I correct in assuming that the tokens apply to all links

associated with the connection? Can you limit the scope of a token

to only a single session or link?

* I don't see where it is specified what the interaction of two

different connections is. What happens if they put the same token?

Can one connection delete the token of another? My guess is that

they should be completely segregated but I think this should be

defined explicitly in the specification.

This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.

amqp-comment message