OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Further comments on WSS 1.1 Core

Here are some further comments on the WSS 1.1 Core CD document[1].



1.	The paragraph at lines 564-571 does not cover the SOAP 1.2 case
where a wsse:Security header omits the soap12:role attribute and another
has a soap12:role attribute with the value
http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver. Text
should be added to cover this case.

2.	Lines 620-621 - The allowed values for SOAP 1.2 are 1,0,true and

3.	Line 831 - The TokenType attribute has the wsse: prefix. I
believe it should be wsse11:

4.	Line 912 - There should be some text that precedes this
paragraph; e.g. "In this version of the specification,". Otherwise it
seems weird to talk about how to use ValueType and then say that it's
not to be used.

5.	Line 938 - I have no idea what a 'bifier' is... Should it be

6.	Line 978 - I don't believe the text in the Description column of
the table is sufficient to tell me how to compute the thumbprint of an
XML based token because it doesn't tell me how to canonicalize the XML.
Is this text supposed to *only* apply to BinarySecurityTokens? If so, it
should state that restriction. In any case, I think it worth the spec
noting that token profiles SHOULD define the token-specific algorithm
for producing the thumbprint value as there may be
interpretation/matching issues.

7.	Line 1251-1253 - The parenthetical statement implies that the
URI for the STR-Transform is
rity-1.1#STR-Transform and I think it should be

8.	Lines 1576-1578 recommend that xenc:EncryptedKey always contain
an xenc:ReferenceList. In the case where the EncyptedKey is used for
signature *and* encryption this makes it impossible to figure out 'who's
on first' (i.e. whether signature or encryption occurred first). I
propose that we change lines 1576-1578 to read;

"This sub-element MAY contain a manifest, that is, an
<xenc:ReferenceList> element, that lists the portions to be
decrypted with this key. The manifest MAY appear outside the
xenc:EncryptedKey provided that the corresponding xenc:EncryptedData
elements contain xenc:KeyInfo elements that reference the EncryptedKey."

9.	Lines 1628-1629 - Why aren't s11:Header and s12:Header listed
explicitly as elements that MUST NOT be encrypted?

10.	Lines 1697-1702 list s12:mustUnderstand, s11:mustUnderstant,
s12:role and s11:actor but not the s12:relay attribute. Propose to add
the following text after line 1702;

"If the referencing <wsse:Security> header block defines a value for the
S12:relay attribute, that attribute and associated value MUST be copied
to the <wsse11:EncryptedHeader> element."

11.	Lines 1764-1765 are inconsistent with Line 1774. The former says
SHOULD be UTC the latter says MUST be UTC.

12.	Line 1807 - The wsu:MessageExpired fault code is NOT defined
anywhere in this spec.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]