ER014 2119 terms for SP proposal

Here is my analysis for SP, same pattern as SC and Trust.

ER014 – SP

Changes needed

Line 121

Extensibility points in the exemplar MAY not be described in the corresponding text

Line 130

WS-SecurityPolicy SHOULD be applicable to any version of SOAP

Line 321

Assertions MAY be used to further qualify a specific aspect of another assertion. For example, an assertion describing the set of algorithms to use MAY qualify the specific behavior of a security binding

Line 338

Any REQUIRED message elements (e.g. timestamps) in the wsse:Security header

Line 347

Note that a service MAY choose to reject messages despite them conforming to its policy, for example because a client certificate has been revoked. Note also that a service MAY choose to accept messages that do not conform to its policy.

Line 365

This section defines properties that are referenced later in this document describing the RECOMMEDED or REQUIRED attachment points for various assertions.

Line 489

Multiple instances of this element MAY appear within this assertion and SHOULD be treated as separate references in a signature when message security is used

Line 571

Multiple instances of this element MAY appear within this assertion and SHOULD be treated as separate references

Line 597

Multiple instances of this element MAY appear within this assertion and SHOULD be treated as separate references

Line 628

Multiple instances of this element MAY appear within this assertion and SHOULD be treated as a combined XPath expression

Line 658

Any token assertion MAY also carry an OPTIONAL sp:IncludeToken attribute

Line 659

This attribute indicates whether the token SHOULD be included

Line 664 (in table)

an external reference to the token SHOULD be used.

Subsequent related messages sent between the recipient and the initiator MAY refer to

Line 673

A token assertion MAY carry a sp:IncludeToken attribute that requires that the token be included in the message

Line 684

then references to that token are REQUIRED to contain all the specified reference types.

Line 691

Any token assertion MAY also carry an OPTIONAL sp:Issuer element

Line 696

Any token assertion MAY also carry an OPTIONAL sp:IssuerName element.

Line 703

While both sp:Issuer and sp:IssuerName elements are OPTIONAL they are also mutually exclusive

Line 706

Any token assertion MAY also carry an OPTIONAL wst:Claims element

Line 710

This element indicates the REQUIRED claims that the security token MUST contain in order to satisfy the requirements of the token assertion.

Line 713

Individual token assertions MAY further limit what claims MAY be specified for that specific token assertion.

Line 716

As long as the union of all tokens in the received message contains the REQUIRED set of claims from REQUIRED token issuers the message is valid according to the receiver’s policy.

Line 736

This boolean property specifies whether derived keys SHOULD be used as defined in WS-SecureConversation

Line 900

Note: The IssuedToken MAY or MAY NOT be associated with key material and such key material MAY be symmetric or asymmetric.

Line 902

Services MAY also include information in the sp:RequestSecurityTokenTemplate element

Line 1180

then either the sp:SecureConversationToken or the sp:IssuedToken assertion SHOULD be used instead

Line 1187

Because this token is issued by the target service and MAY NOT have a separate port

Line 1379

the sp:IssuedToken assertion SHOULD be used instead

Line 1451

the sp:IssuedToken assertion SHOULD be used instead

Line 1597

This property specifies the algorithm suite REQUIRED for performing cryptographic operations with symmetric or asymmetric key based security tokens.

Line 1635

This property indicates the order in which integrity and confidentiality are applied to the message, in cases where both integrity and confidentiality are REQUIRED

Line 1639

This boolean property specifies whether the signature MUST be encrypted.

Line 1641

The primary signature element is NOT REQUIRED to be encrypted if the value is ‘true’

Line 1646

This boolean property specifies whether signatures MUST cover the token used to generate that signature.

Line 1650

It is RECOMMENDED that assertions that define values for this property apply to [Endpoint Policy Subject].

Line 1653

This boolean property specifies whether signature digests over the SOAP body and SOAP headers MUST only cover the entire body and entire header elements.

Line 1661

It is RECOMMENDED that assertions that define values for this property apply to [Endpoint Policy Subject].

Line 1674

then it SHOULD appear before the ds:Signature and xenc:ReferenceList elements

Line 1700

then it SHOULD appear before the ds:Signature and xenc:ReferenceList elements

Line 1719

However, the xenc:ReferenceList is NOT REQUIRED to appear before independently encrypted tokens such as the xenc:EncryptedKey token as defined in WSS

Line 2133

Additional tokens MAY be specified to augment the claims

Line 2134

This section defines seven properties related to supporting token requirements which MAY be referenced by a Security Binding

Line 2145

Supporting tokens MAY be specified at a different scope than the binding assertion

Line 2148

the sender SHOULD merge the requirements by including all tokens

Line 2152

all the tokens SHOULD sign and encrypt the various message parts

Line 2161

To illustrate the different ways that supporting tokens MAY be bound to the message

Line 2165

Even before any supporting tokens are added, each binding requires that the message is signed using a token satisfying the REQUIRED usage for that binding

Line 2171

Note: if REQUIRED, the initiator MAY also include in the Security header the token used as the basis for the message signature (Sig1), not shown in the diagram

Line 2178

Supporting tokens are included in the security header and MAY OPTIONALLY include additional message parts to sign and/or encrypt

Line 2229

Signed tokens are included in the “message signature” as defined above and MAY OPTIONALLY include additional message parts to sign and/or encrypt

Line 2283

produced from the message signature and MAY OPTIONALLY include

Line 2339

This assertion MAY OPTIONALLY include additional message parts to sign and/or encrypt

Line 2345

If transport security is used, the token (Tok2) is included in the Security header and the signature (Sig2) SHOULD cover the message timestamp as illustrated below

Line 2485

There are several OPTIONAL aspects to the WSS: SOAP Message Security specification

Line 2496

a token MAY be referenced using different mechanisms

Line 2551

This boolean property specifies whether wsse11:SignatureConfirmation elements SHOULD be used

Line 2634

These assertions relate to interactions with a Security Token Service and MAY augment the behaviors defined by

Line 2649

A challenge issued by the server MAY increase the number of messages exchanged by the client and service

Line 2656

This boolean property indicates whether client entropy is REQUIRED to be used as key material for a requested proof token. A value of 'true' indicates that client entropy is REQUIRED. A value of 'false' indicates that client entropy is NOT REQUIRED

Line 2661

This boolean property indicates whether server entropy is REQUIRED to be used as key material for a requested proof token. A value of 'true' indicates that server entropy is REQUIRED. A value of 'false' indicates that server entropy is NOT REQUIRED

Line 2881

Policy MAY be embedded inside an Issued Token assertion, or acquired out-of-band. There MAY be an explicit trust relationship between the Server and the STS. There MUST be a trust relationship between the Client and the STS.

Line 2885

client-specific parameters that MUST be understood

Line 2898

The Client MAY augment or replace the contents of the RST

Line 2902

The Issued Token Policy Assertion contains elements which MUST be understood by the Client. The assertion contains one element which contains a list of arbitrary elements which SHOULD be sent along to the STS

Line 2908

All items are OPTIONAL , since the Server and STS MAY already have a pre-arranged relationship

Line 3808

A wsse:UsernameToken MAY be encrypted when a transport binding is not being used

English usages – No changes required

Line 51 “element are required to be satisfied” (describes an example)

Line 57 “required to be encrypted” (describes an example)

Line 318 “For example, it may be common that the mechanism is constant for an endpoint”

Line 719 “For example if the receiver’s policy contains two token assertions, one requires”

Line 834 “For example, the initiator may need”

Lines 2478, 2480, 2482 “must be included” (describes an example)

All un-capitalized terms in section 12 are English and properly not capped, no change

Schema exemplar description changes

Many issues with OPTIONAL and REQUIRED in the schema exemplar descriptions. These are straightforward and I recommend that if the above is acceptable that the editors simply produce a redline version for review.

ws-sx message