OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [wss] Web Services Security Issues List - Rev 4

The attached issues list was updated to include 1) the current status
for existing issues and 2) new procedural work items and open technical
issues identified during our discussions on Oct 8th and in subsequent
discussions on email.

If there are issues being discussed that need to be tracked but were
omitted please let me know.

Title: WSS Issues
WSS ID Type Status Issue Resolution Owner(s)
1 Technical  Closed Can we have alternative mechanisms of signature and encryption other than XML DSIG and XML Encryption? Closed on 10/8/02 - http://lists.oasis-open.org/archives/wss/200210/msg00085.html Conformant implementations must support XML sig/enc and MAY support additional mechanisms. Closed
2 Procedural Closed Clarify the IP status and licensing terms for the submissions to the working group Closed on 9/24/02 - http://lists.oasis-open.org/archives/wss/200210/msg00011.html.  References Prateek Mishra's posting.  http://lists.oasis-open.org/archives/wss/200208/msg00011.html. Closed
3 Technical  Open Proposal to Label Tokens to Indicate Their Semantics Hal to send summary.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Hal Lockhart
4 Technical  Open Why is the token in the header, and not a child of KeyInfo? Related to 5 - note that the resolution should be consistent with 3.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html TC
5 Technical  Open Within the KeyInfo, why not use a ds:RetrievalMethod? Related to 4. http://lists.oasis-open.org/archives/wss/200210/msg00085.html TC
6 Investigation Open Will the authors of the roadmap submit it? Owners to provide fixed URL.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Chair
7 Technical  Closed Does WS-Security assume SOAP 1.1? Per Sept 4 minutes – it will support all versions of SOAP Closed
8 Investigation Closed Determine interest in a Use case document Formed a sub-committee, led by Erik Herring Closed
9 Investigation Open Approach authors to submit the App Note to the TC Use case authors to determine need to reference the document. http://lists.oasis-open.org/archives/wss/200210/msg00085.html Use case authors
10 Investigation Postponed. Investigate interop fest at some later time Postponed pending more feedback on documents.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Chair
11 Investigation Postponed. Pick date for OASIS submission date after initial drafts available Covered by issue 10.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Chair
12 Procedural Closed Remove all references to ws-routing and such References were removed. Closed
13 Technical Closed. Element ordering in the Security tag. Editors instructed to clarify.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Open
14 Technical Open State that the recipient SHOULD authenticate the assertion issuer and ensure that the assertion has not been modified Ronald Monzillo to propose change.  http://lists.oasis-open.org/archives/wss/200210/msg00085.html Ronald Monzillo
15 Technical Open Core: Spec should indicate that it is based on the SOAP messaging model. Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200210/msg00085.html Editors
16 Technical Closed. Core: The spec should indicate that nonce and / or timestamp elements should be used to prevent replay. http://lists.oasis-open.org/archives/wss/200210/msg00085.html Closed
17 Technical Closed Core: Should SOAP nodes acting in a particular role create or update the appropriate timestamp element. Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200209/msg00094.html Editors
18 Technical Closed Core: No attribute or reference to the senders time. http://lists.oasis-open.org/archives/wss/200210/msg00085.html Closed
19 Technical Open Core: Why is it necessary to special case a Username/Password POP token? Ronald Monzillo directed to participate  in resolution of
 labelling and POP

Ronald Monzillo
20 Technical Open Core: Define security token propagation. Editors instructed to clarify. http://lists.oasis-open.org/archives/wss/200210/msg00085.html
21 Technical Open Core: Update definition of a security token to reflect role in defining key or broaden definition. http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
22 Technical Open Core: Should the spec preclude security tokens whose purpose is other than to convey or bind a key to an identity or entity? http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
23 Technical Open Core: Make Proof-of-Possession a fundamental type or relationship within [sic] within the ws-security model? http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
24 Technical Open Core: Why is it necessary to treat XML Signature elements as other than security tokens? http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
25 Technical Open Core: How can a Signature element occurring outside of the header be referenced? http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
26 Technical Open Core: What does it mean to process a BinarySecurityToken? http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
27 Technical Open Core: Reference element should have an @any to allow for attribute extensibility http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
28 Technical Open SAML Binding: Include the use of the URI attribute (on SecurityTokenReference) from the SS TC submission http://lists.oasis-open.org/archives/wss/200209/msg00095.html
Ronald Monzillo
29 Technical Open SAML Binding: Should there be a reference form that carries what amounts
to a SAML assertion Query such that the sender does not need to
have acquired the assertion (to be able to apply it to a request)?
Ronald Monzillo
30 Technical Open Should use XML Schema http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
31 Technical Open Should use OASIS Namespace http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
32 Technical Open A couple of parameter values are prescribed (e.g. SHA-1 in the case of the password digest and “five minutes” in the case of message freshness).  The specification should be flexible in these respects. http://lists.oasis-open.org/archives/wss/200210/msg00098.html


Tim Moses
33 Technical Open The specification should prescribe clear behaviour for all parties in regard to freshness safeguards.  And it should require that time values be enclosed in integrity mechanisms. http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
34 Technical Open <wsu:Created> appears to be just a convenient way for the originator to create a nonce.  Therefore, it seems unnecessary to require processing different from that required for the <wsu:Nonce> element. http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
35 Technical Open Is it necessary to support the HexBinary encoding of tokens? http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
36 Technical Open In section 10.2.2, why not just specify that the <Created> element type be xsd:dateTime? http://lists.oasis-open.org/archives/wss/200210/msg00098.html Tim Moses
37 Technical Open lines 193-195: Where does the threat of replay attacks belong to? To the first or the second group? http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
38 Technical Open line 238: Since this is a normative text, how "inappropriate claims" is defined here? http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
39 Technical Open Lines 251-255: Since the UrenameToken element does not have password digest, what is the purpose of the Nonce and Created elements here?  http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
40 Technical Open Paragraphs in lines 535-537 and 538-540 repeat each other and one of them needs to be eliminated. http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
41 Technical Open Line 1016: what specification's section 4.5.3 does it refer to? The above text implies XML Encryption. It should be explicit. http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
42 Technical Open Line 1155: the meaning of "materially" is unclear. http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
43 Technical Open Lines 1430, 1431: The clause "these elements be included in the signature" is unclear. What does "included in the signature" mean? Should they be signed? http://lists.oasis-open.org/archives/wss/200210/msg00092.html Konstantin Beznosov
44 Technical Open SAML Cannonicalization http://lists.oasis-open.org/archives/wss/200210/msg00070.html Don Flinn

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC