OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [wss] Username password token definition

I'd like to raise the following use case related issues with Working Draft 3
of the core.

Section 6.1 Usernames  and Passwords, beginning at line 422, defines
the use of the <wsse:UsernameToken> element "as a way of providing a
username and optional password information". The definition of this token
makes no mention of its potential value in defining the key to support
the signing or encryption of the attached SOAP message.  I realize that the
core document is intended to serve as a framework, but it seems less than
obvious from the description that these tokens could be used to identify
a signing (or encryption key); which perhaps is the most significant use
case that features such tokens.

The example in section 3.4  beginning at line 248,  seems to depict the use
of such tokens (as revealed by lines 299-300), as a means to carry
a password derived signing key. However, the importance of this example,
warrants further discussion in section 6.1.

I am concerned that the degree to which such use cases are difficult to
intuit from the specification, is limiting our ability to determine the
specification's readiness to support interoperability, and to raise issues
where it is not.

The "core" use cases must be clearly spelled out, and the individual 
documents must each define their related use cases.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC