[wss] [wsse] Comments and Issues

["Flinn, Don" <Don.Flinn@quadrasis.com>]

I have the following comments, issues and questions on WS_Security Core, Draft 3.

Lines 180 to 184: It is not clear to me whether this definition is meant to describe a case of delegation where the client and sender are two different entities or whether the sender is the channel acting on behalf or a client.  From the definition on lines 217 to 223 it appears that delegation is not intended.  Either way I believe this paragraph should be clarified.

Line 294: Should read Lines (005) to (009) ..

Line 461: I believe that this line should read - "This required element specifies the username of the authenticated party or the party to be authenticated"  NOT "of the authenticating party."  A clarifying question - am I correct in believing that this specification does not intend to prohibit the receiving party from using the username and password to authenticate the client?

Lines 534 & 535: I believe that these lines should read " ... binary or XML tokens ..", not just "binary tokens"

Lines 575 to 588: Are these lines needed since we RECOMMEND that Exclusive Canonicalization be used?

Section 6.3.2:  We say in the WSS-SAML specification to use the assertion id to reference SAML tokens, not to use the wsu:Id and license id for XrML?  This section should state this and shouldn't unequivocally use "SHOULD" for the wsu:id attribute. 

Section 7.1 & 7.2: These sections also don't mention assertion id's for SAML and license id's for XrML.

Section 7.4:  This section only discusses BinarySecurityTokens.  SAML also has a KeyInfo token.

Don