[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [wss] Web Services Security Issues List - Rev 4
The attached issues list was updated to include 1) the current status for existing issues and 2) new procedural work items and open technical issues identified during our discussions on Oct 8th and in subsequent discussions on email. If there are issues being discussed that need to be tracked but were omitted please let me know. Regards, -JohnTitle: WSS Issues
| WSS ID | Type | Status | Issue | Resolution | Owner(s) |
| 1 | Technical | Closed | Can we have alternative mechanisms of signature and encryption other than XML DSIG and XML Encryption? | Closed on 10/8/02 - http://lists.oasis-open.org/archives/wss/200210/msg00085.html Conformant implementations must support XML sig/enc and MAY support additional mechanisms. | Closed |
| 2 | Procedural | Closed | Clarify the IP status and licensing terms for the submissions to the working group | Closed on 9/24/02 - http://lists.oasis-open.org/archives/wss/200210/msg00011.html. References Prateek Mishra's posting. http://lists.oasis-open.org/archives/wss/200208/msg00011.html. | Closed |
| 3 | Technical | Open | Proposal to Label Tokens to Indicate Their Semantics | Hal to send summary. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Hal Lockhart |
| 4 | Technical | Open | Why is the token in the header, and not a child of KeyInfo? | Related to 5 - note that the resolution should be consistent with 3. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | TC |
| 5 | Technical | Open | Within the KeyInfo, why not use a ds:RetrievalMethod? | Related to 4. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | TC |
| 6 | Investigation | Open | Will the authors of the roadmap submit it? | Owners to provide fixed URL. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Chair |
| 7 | Technical | Closed | Does WS-Security assume SOAP 1.1? | Per Sept 4 minutes – it will support all versions of SOAP | Closed |
| 8 | Investigation | Closed | Determine interest in a Use case document | Formed a sub-committee, led by Erik Herring | Closed |
| 9 | Investigation | Open | Approach authors to submit the App Note to the TC | Use case authors to determine need to reference the document. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Use case authors |
| 10 | Investigation | Postponed. | Investigate interop fest at some later time | Postponed pending more feedback on documents. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Chair |
| 11 | Investigation | Postponed. | Pick date for OASIS submission date after initial drafts available | Covered by issue 10. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Chair |
| 12 | Procedural | Closed | Remove all references to ws-routing and such | References were removed. | Closed |
| 13 | Technical | Closed. | Element ordering in the Security tag. | Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Open |
| 14 | Technical | Open | State that the recipient SHOULD authenticate the assertion issuer and ensure that the assertion has not been modified | Ronald Monzillo to propose change. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Ronald Monzillo |
| 15 | Technical | Open | Core: Spec should indicate that it is based on the SOAP messaging model. | Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Editors |
| 16 | Technical | Closed. | Core: The spec should indicate that nonce and / or timestamp elements should be used to prevent replay. | http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Closed |
| 17 | Technical | Closed | Core: Should SOAP nodes acting in a particular role create or update the appropriate timestamp element. | Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200209/msg00094.html | Editors |
| 18 | Technical | Closed | Core: No attribute or reference to the senders time. | http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Closed |
| 19 | Technical | Open | Core: Why is it necessary to special case a Username/Password POP token? | Ronald Monzillo directed to participate in resolution
of labelling and POP http://lists.oasis-open.org/archives/wss/200210/msg00085.html |
Ronald Monzillo |
| 20 | Technical | Open | Core: Define security token propagation. | Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200210/msg00085.html | Editors |
| 21 | Technical | Open | Core: Update definition of a security token to reflect role in defining key or broaden definition. | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 22 | Technical | Open | Core: Should the spec preclude security tokens whose purpose is other than to convey or bind a key to an identity or entity? | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 23 | Technical | Open | Core: Make Proof-of-Possession a fundamental type or relationship within [sic] within the ws-security model? | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 24 | Technical | Open | Core: Why is it necessary to treat XML Signature elements as other than security tokens? | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 25 | Technical | Open | Core: How can a Signature element occurring outside of the header be referenced? | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 26 | Technical | Open | Core: What does it mean to process a BinarySecurityToken? | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 27 | Technical | Open | Core: Reference element should have an @any to allow for attribute extensibility | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 28 | Technical | Open | SAML Binding: Include the use of the URI attribute (on SecurityTokenReference) from the SS TC submission | http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 29 | Technical | Open | SAML Binding: Should there be a reference form that carries
what amounts to a SAML assertion Query such that the sender does not need to have acquired the assertion (to be able to apply it to a request)? |
http://lists.oasis-open.org/archives/wss/200209/msg00095.html | Ronald Monzillo |
| 30 | Technical | Open | Should use XML Schema | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 31 | Technical | Open | Should use OASIS Namespace | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 32 | Technical | Open | A couple of parameter values are prescribed (e.g. SHA-1 in the case of the password digest and “five minutes” in the case of message freshness). The specification should be flexible in these respects. |
http://lists.oasis-open.org/archives/wss/200210/msg00098.html
|
Tim Moses |
| 33 | Technical | Open | The specification should prescribe clear behaviour for all parties in regard to freshness safeguards. And it should require that time values be enclosed in integrity mechanisms. | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 34 | Technical | Open | <wsu:Created> appears to be just a convenient way for the originator to create a nonce. Therefore, it seems unnecessary to require processing different from that required for the <wsu:Nonce> element. | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 35 | Technical | Open | Is it necessary to support the HexBinary encoding of tokens? | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 36 | Technical | Open | In section 10.2.2, why not just specify that the <Created> element type be xsd:dateTime? | http://lists.oasis-open.org/archives/wss/200210/msg00098.html | Tim Moses |
| 37 | Technical | Open | lines 193-195: Where does the threat of replay attacks belong to? To the first or the second group? | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 38 | Technical | Open | line 238: Since this is a normative text, how "inappropriate claims" is defined here? | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 39 | Technical | Open | Lines 251-255: Since the UrenameToken element does not have password digest, what is the purpose of the Nonce and Created elements here? | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 40 | Technical | Open | Paragraphs in lines 535-537 and 538-540 repeat each other and one of them needs to be eliminated. | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 41 | Technical | Open | Line 1016: what specification's section 4.5.3 does it refer to? The above text implies XML Encryption. It should be explicit. | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 42 | Technical | Open | Line 1155: the meaning of "materially" is unclear. | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 43 | Technical | Open | Lines 1430, 1431: The clause "these elements be included in the signature" is unclear. What does "included in the signature" mean? Should they be signed? | http://lists.oasis-open.org/archives/wss/200210/msg00092.html | Konstantin Beznosov |
| 44 | Technical | Open | SAML Cannonicalization | http://lists.oasis-open.org/archives/wss/200210/msg00070.html | Don Flinn |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC