Here is a consolidated proposal for issue 4 from the previous three messages on this topic.

Issue 4 Reference Recommendations

WS-SecureConversation

ED-01 rev 06

Normative

[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997.

http://www.ietf.org/rfc/rfc2119.txt

[RFC2246] IETF Standard, "The TLS Protocol", January 1999.

http://www.ietf.org/rfc/rfc2246.txt

Line 338 first occurrence, line 742 first normative occurrence.

Recommend keeping as BSP references this version.

[SOAP] W3C Note, "SOAP: Simple Object Access Protocol 1.1", 08 May 2000.

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

[SOAP12] W3C Recommendation, "SOAP 1.2 Part 1: Messaging Framework", 24 June 2003.

http://www.w3.org/TR/2003/REC-soap12-part1-20030624/

[URI] T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, MIT/LCS, Day Software, Adobe Systems, January 2005.

http://www.ietf.org/rfc/rfc3986.txt

Line 54 first occurrence, lines 91/92 first referenced and normative occurrence.

Recommend using RFC 3986 which made 2396 obsolete on grounds that SP uses 3986.

[WS-Addressing] W3C Recommendation, "Web Services Addressing (WS-Addressing)", 9 May 2006.

http://www.w3.org/TR/2006/REC-ws-addr-core-20060509

Used in namespace prefix table and throughout examples and exemplars. Not referenced explicitly in text. Should be on line 309 describing Action URIs.

Recommend using Recommendation rather than Submission version as the TC interop event has.

[WS-Security]

OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.

OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.

Used throughout spec.

Update to include version 1.1.

[WS-Trust] "Web Services Trust Language", tbd

Update to TC version.

Line 138 first normative reference.

[XML-Encrypt] W3C Recommendation, "XML Encryption Syntax and Processing", 10 December 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

Line 330, needs reference added.

Note link is updated, spec used an old WD link.

[XML-Signature] W3C Recommendation, "XML-Signature Syntax and Processing", 12 February 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

Referred to throughout via use of “sign”, “integrity” and the namespace prefix ds. Recommend adding reference to definition of Signature on line 68.

[XML-Schema1] W3C Recommendation, "XML Schema Part 1: Structures Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/

Implicit should be referenced in section 1.4 defining schema file. Recommend using 2^nd edition as SP does.

[XML-Schema2] W3C Recommendation, "XML Schema Part 2: Datatypes Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/

Implicit should be referenced in section 1.4 defining schema file. Recommend using 2^nd edition as SP does.

Non-Normative

[WS-MetadataExchange] "Web Services Metadata Exchange (WS-MetadataExchange)", BEA, Computer Associates, IBM, Microsoft, SAP, Sun Microsystems, Inc., webMethods, September 2004.

One reference as an example on line 1156.

[WS-Policy] W3C Member Submission, "Web Services Policy 1.2 - Framework", 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/

[WS-PolicyAttachment] W3C Member Submission, "Web Services Policy 1.2 - Attachment" , 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-PolicyAttachment-20060425/

Lower case “services policy” is used in many places in spec, i.e. line 189. Should be referred to here as an example. Suggest keeping and updating reference to W3C submission.

Remove

[WS-SecurityPolicy] "Web Services Security Policy Language", IBM, Microsoft, RSA Security, VeriSign, December 2002.

Not used.

[XML-C14N] W3C Candidate Recommendation, "Canonical XML Version 1.0", 26 October 2000.

Not used.

[XML-ns] W3C Recommendation, "Namespaces in XML", 14 January 1999.

Not used, implicit.

WS-Trust

ED-01 rev 08

Normative

[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997.

http://www.ietf.org/rfc/rfc2119.txt

[RFC2246] IETF Standard, "The TLS Protocol", January 1999.

http://www.ietf.org/rfc/rfc2246.txt

Recommend keeping as BSP references this version.

Referenced as an example on line 223.

Normative reference on line 859 in description of ComputedKey.

[SOAP] W3C Note, "SOAP: Simple Object Access Protocol 1.1", 08 May 2000.

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

[SOAP12] W3C Recommendation, "SOAP 1.2 Part 1: Messaging Framework", 24 June 2003.

http://www.w3.org/TR/2003/REC-soap12-part1-20030624/

[URI] T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, MIT/LCS, Day Software, Adobe Systems, January 2005.

http://www.ietf.org/rfc/rfc3986.txt

Line 56 first referenced occurrence.

Recommend using RFC 3986 which made 2396 obsolete on grounds that SP uses 3986.

[WS-Addressing] W3C Recommendation, "Web Services Addressing (WS-Addressing)", 9 May 2006.

http://www.w3.org/TR/2006/REC-ws-addr-core-20060509

Used in namespace prefix table and throughout examples and exemplars. First explicit normative reference on line 354.

Recommend using Recommendation rather than Submission version as the TC interop event has.

[WS-Policy] W3C Member Submission, "Web Services Policy 1.2 - Framework", 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/

[WS-PolicyAttachment] W3C Member Submission, "Web Services Policy 1.2 - Attachment", 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-PolicyAttachment-20060425/

Suggest updating reference to W3C submission.

First reference as guidance on line 158/159. First normative reference on line 2194.

[WS-Security]

OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.

OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.

Used throughout spec.

Update to include version 1.1.

[XML-C14N] W3C Recommendation, "Canonical XML Version 1.0", 15 March 2001.

http://www.w3.org/TR/2001/REC-xml-c14n-20010315

Term “canonicaliztion” used in an example on line 1834 without reference. Term used again, normatively, on line 1984 in description of CanonicalizationAlgorithm without reference. Add reference.

Suggest to reference Recommendation version as WSS 1.1 does, rather than the current Candidate Recommendation reference.

[XML-Encrypt] W3C Recommendation, "XML Encryption Syntax and Processing", 10 December 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

First referenced on line 1981.

[XML-Signature] W3C Recommendation, "XML-Signature Syntax and Processing", 12 February 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

Referred to throughout via use of “sign”, “integrity” and the namespace prefix ds. Recommend adding reference to definition of Signature on line 80. References on lines 1977 and 1985 missing “-“.

Suggest to also update reference to Recommendation rather than existing Candidate Recommendation link as WSS 1.1 does.

[XML-Schema1] W3C Recommendation, "XML Schema Part 1: Structures Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/

Implicit should be referenced in section 1.4 defining schema file. Recommend using 2^nd edition as SP does.

[XML-Schema2] W3C Recommendation, "XML Schema Part 2: Datatypes Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/

Implicit should be referenced in section 1.4 defining schema file. Recommend using 2^nd edition as SP does.

Non-Normative

[WS-Federation] "Web Services Federation Language," BEA, IBM, Microsoft, RSA Security, VeriSign, July 2003.

First reference as an example on line 229.

[WS-SecurityPolicy] "Web Services Security Policy Language", tbd

Update to TC version.

First reference as an example on line 1483.

[X509] S. Santesson, et al,"Internet X.509 Public Key Infrastructure Qualified Certificates Profile."

http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.509-200003-I

First instance on line 73, missing reference. Used as an example in many other places as well.

*Note* This is the same reference as WSS 1.1 but the link does not resolve.

[Kerberos] J. Kohl and C. Neuman, "The Kerberos Network 149 Authentication Service (V5)," RFC 1510, September 1993.

http://www.ietf.org/rfc/rfc1510.txt

Used as an example on line 191, missing reference. Used as an example in many other places as well.

Same reference as WSS 1.1.

Remove

[XML-ns] W3C Recommendation, "Namespaces in XML", 14 January 1999.

Not used, implicit.

WS-SecurityPolicy

ED-01 rev 07

Normative

[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, Harvard University, March 1997.

http://www.ietf.org/rfc/rfc2119.txt

[SOAP] W3C Note, "SOAP: Simple Object Access Protocol 1.1", 08 May 2000.

http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

[SOAP12] W3C Recommendation, "SOAP 1.2 Part 1: Messaging Framework", 24 June 2003.

http://www.w3.org/TR/2003/REC-soap12-part1-20030624/

[URI] T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, MIT/LCS, Day Software, Adobe Systems, January 2005.

http://www.ietf.org/rfc/rfc3986.txt

[RFC2068] IETF Standard, "Hypertext Transfer Protocol -- HTTP/1.1" January 1997

http://www.ietf.org/rfc/rfc2068.txt

Normative, un-attributed, references on lines 1426 and 1430 for authentication mechanisms.

[RFC2246] IETF Standard, "The TLS Protocol", January 1999.

http://www.ietf.org/rfc/rfc2246.txt

New reference, needed for example in description of HTTPS assertion.

Suggest using this as BSP references this version, consistent with recommendations for SC and Trust.

[WS-Addressing] W3C Recommendation, "Web Services Addressing (WS-Addressing)", 9 May 2006.

http://www.w3.org/TR/2006/REC-ws-addr-core-20060509

Used in namespace prefix table and throughout examples and exemplars.

Recommend using Recommendation rather than Submission version as the TC SC/Trust interop event has.

[WS-Policy] W3C Member Submission "Web Services Policy 1.2 - Framework", 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/

[WS-PolicyAttachment] W3C Member Submission "Web Services Policy 1.2 - Attachment", 25 April 2006.

http://www.w3.org/Submission/2006/SUBM-WS-PolicyAttachment-20060425/

Suggest updating reference to W3C submission.

[WS-Trust] "Web Services Trust Language (WS-Trust)", tbd

Update to TC version.

[WS-SecureConversation] “Web Services Secure Conversation Language (WS-SecureConversation)", tbd

Update to TC version.

[WSS10] OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)", March 2004.

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

[WSS11] OASIS Standard, "OASIS Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)", February 2006.

http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

New reference though the tag is already in use in the spec, i.e. wsse11 namespace in table at line 60. Should also be referenced in section on WSS11 assertion.

[WSS:UsernameToken1.0] OASIS Standard, "Web Services Security: UsernameToken Profile", March 2004

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf

[WSS:UsernameToken1.1] OASIS Standard, "Web Services Security: UsernameToken Profile 1.1", February 2006

http://www.oasis-open.org/committees/download.php/16782/wss-v1.1-spec-os-UsernameTokenProfile.pdf

New reference though the tag is already in use in the spec, i.e. in section on UsernameToken assertion.

[WSS:X509Token1.0] OASIS Standard, "Web Services Security X.509 Certificate Token Profile", March 2004

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf

Recommend adding the 1.0 to the tag for consistency with UsernameToken references.

[WSS:X509Token1.1] OASIS Standard, "Web Services Security X.509 Certificate Token Profile", February 2006

http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf

New reference though the tag is already in use in the spec, i.e. in section on X.509 assertion.

[WSS:KerberosToken1.1] OASIS Standard, “Web Services Security Kerberos Token Profile 1.1”, February 2006

http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-spec-os-KerberosTokenProfile.pdf

Use 1.1 reference, there does not appear to be a 1.0 for this. Needs to be referenced in definition of Kerberos Token assertion.

[WSS:SAMLTokenProfile1.0] OASIS Standard, “Web Services Security: SAML Token Profile”, December 2004

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf

New reference though the tag is already in use in the spec, i.e. in section on SAML assertion.

[WSS:SAMLTokenProfile1.1] OASIS Standard, “Web Services Security: SAML Token Profile 1.1”, February 2006

http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf

New reference though the tag is already in use in the spec, i.e. in section on SAML assertion.

[WSS: REL Token Profile 1.0] OASIS Standard, “Web Services Security Rights Expression Language (REL) Token Profile”, December 2004

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf

New reference though the tag is already in use in the spec, i.e. in section on REL assertion.

[WSS: REL Token Profile 1.1] OASIS Standard, “Web Services Security Rights Expression Language (REL) Token Profile 1.1”, February 2006

http://www.oasis-open.org/committees/download.php/16687/oasis-wss-rel-token-profile-1.1.pdf

New reference though the tag is already in use in the spec, i.e. in section on REL assertion.

[XML-Encrypt] W3C Recommendation, "XML Encryption Syntax and Processing", 10 December 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

First referenced on line 1981.

Recommend changing keyword term from [XMLENC] to [XML-Encrypt] for consistency with SC and Trust.

[XML-Signature] W3C Recommendation, "XML-Signature Syntax and Processing", 12 February 2002.

http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/

Referred to throughout via use of “sign”, “integrity” and explicitly in the namespace table for prefix ds.

Suggest using same stable link as WSS and SC/Trust rather than current “latest” link.

Recommend changing keyword term from [XMLENC] to [XML-Encrypt] for consistency with SC and Trust.

[XPATH] W3C Recommendation "XML Path Language (XPath) Version 1.0", 16 November 1999.

http://www.w3.org/TR/1999/REC-xpath-19991116

First, unattributed, use on line 574.

Correct date, should be November and not February of 1999.

[XML-Schema1] W3C Recommendation, "XML Schema Part 1: Structures Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/

[XML-Schema2] W3C Recommendation, "XML Schema Part 2: Datatypes Second Edition", 28 October 2004.

http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/

Non-Normative

None.

Remove

[KEYWORDS] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels," RFC 2119, Harvard University, March 1997

Duplicate reference of [RFC2119].

ws-sx message

Issue 4 Reference Recommendations

WS-SecureConversation

Normative

Non-Normative

Remove

WS-Trust

Normative

Non-Normative

Remove

WS-SecurityPolicy

Normative

Non-Normative

Remove