OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [wss] ISSUE: S:mustUnderstand


On line 434 of draft 10-0223-merged the example uses the attribute S:mustUnderstand. I believe that the use of this header must be clarified. On line 454, the spec states that "all compliant implementations MUST declare which profiles they support and MUST be able to process a <wsse:Security> element and any sub-elements which may be defined by that profile."
 
1) Does this mean that the recipient MUST respond with FAULT if any sub-element of <wsse:Security> is not able to be processed? I believe it does, but this could be interpreted otherwise. I believe the spec should be clarified to include a normative description of what must be understood. Further the spec only defines two types of unsupported FAULT codes: UnsupportedSecurityToken and UnsupportedAlgorithm, neither which may apply if a non-Token sub-element is present.
 
2) What namespace must the "mustUnderstand" attribute be in? Should it be only in the SOAP-ENV 1.2 namespace? Making the header inappropriate for SOAP 1.1 envelopes? Or should the specification require that the namespace for mustUnderstand match that of the enveloping <Header>. Then the attribute itself could be assumed to be understood in any context including future versions of the SOAP specification.
 
3) Why is there a wsu:mustUnderstand attribute defined in the wsu namespace? I don't see any reference to it anywhere in the specification yet it is defined in one of the outputs of the committee. What is its use in this spec, in other specs, or to the greater roadmap? We should either define this or eliminate it.
 
4) Where or how MUST all compliant implementations declare their support for profiles? Is this intended to mean that our respective companies MUST issue press releases or that all packaging of secure web services software MUST have a label on it that declares the support for a specific profile?
 
5) Finally on a grammatical note there is confusion in the sentence I quoted above between "which profiles" and "that profile". This should probably be "which profiles" and "those profiles".
 
-Eric
 
Eric Gravengaard
Reactivity
617-256-0328 (mobile)
650-551-7891 (office)
eric@reactivity.com
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]