[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Some editorial mistakes?
Hi.
You may know, but I found some incompletnesses.
Could you please check following.
Firstly,
There are inconsistent descriptions between Core and UsernameToken
Profile.
At least, for non-english-native people will misunderstand...
Password element is used to send hashed password(password digest).
I think it must be true that a secure transport should be used when
plain password is sent, it is ambiguous whether a secure transport
should be used or not when digested password is sent.
---
Web Services Security
SOAP Message Security (Core)
Working Draft 11, Monday, 03 March 2003
(1538-1540)
If the underlying transport does not provide enough
protection against eavesdropping, the password SHOULD
be digested as described in Section 6.1.1.
---
Web Services Security
UsernameToken Profile
Working Draft 2, Sunday, 23 February 2003
(127-129)
/wsse:UsernameToken/Password
This optional element provides password information
(or equivalent such as a hash). It is recommended that
this element only be passed when a secure transport
is being used.
---
The last sentence above should be following?
It is recommended that this element only be passed when a secure
transport is being used and/or password is being digested.
---
Secondly, Typo:(730,733)
/wsse:SecurityTokenReference/KeyIdentifier/{any}
should be
/wsse:SecurityTokenReference/embedded/{any}
and
/wsse:SecurityTokenReference/KeyIdentifier/@{any}
should be
/wsse:SecurityTokenReference/embedded/@{any}
---
Thirdly, Lacking?:(736-749)
The following example illustrates embedding a SAML assertion:
But, I couldn't find SAML assertion in example...
Thanks.
---------
Yutaka Kudo, Researcher.
Web Services, 201 Research Unit.
Systems Development Labo. Hitachi, Ltd.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]