PLEASE DO NOT REPLY TO THIS EMAIL OR START A DISCUSSISON THREAD UNTIL THE ISSUE IS ASSIGNED A NUMBER.
The issues coordinators will notify the list when that has occurred.
Use-Case for Timestamp Property.
The specification states that if [Timestamp] is false, then <wsu:Timestamp> should not be present inside <wsse:Security> header.
this mean, that if the [Timestamp] property is set to false, or <includeTimestamp>
is absent, and yet if a request/response <wsse:Security> header contains
a <wsu:Timestamp>, then this should be treated as violation entailing a
rejection of such a request/response?
My question is: Is this intended behaviour? Is there a practical use case for
this? I guess most implementors follow the following algorithm/truth table:
Policy Actual Result
False False Accept
The highlighted values in the truth table are something we noticed
implementors (in WS-Policy interop event) doing, which means that if
[Timestamp] is set to false, ignore the <wsu:Timestamp> element if found
inside <wsse:Security> header, and thus accept the message.
Should the spec be updated accordingly, or should vendors change their