OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] Username token profile comments

Just a couple of comments on Frederick's questions regarding nonce and
creation timestamp ...

- Gene Thurston -
AmberPoint, Inc.


-----Original Message-----
From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] 
Sent: Monday, July 14, 2003 1:02 PM
To: wss@lists.oasis-open.org
Subject: [wss] Username token profile comments

I have a couple of comments on the Username Token Profile, draft 3, 30
June 2003.

1. Why is it recommended that both nonce and creation timestamp be used
[122] instead of one or the other?

Does recommending both put a burden on implementations, especially with
regard to timestamp management and
possible synchronization? Isn't a nonce adequate for replay attacks when
chosen? Is there rationale that should
be stated?

[gt:] 
[gt:] I believe the idea is as follows:  Just using a nonce would be 
[gt:] adequate, but would require the server side to cache used nonces 
[gt:] forever, thus consuming memory resources.  By having the service 
[gt:] configurable with a timestamp "freshness" limitation period, it 
[gt:] will only have to cache nonces for that long.  This is laid out 
[gt:] in points 2 and 3 (lines 124-130), and I feel that the 
[gt:] explanation is sufficient, but perhaps I am in a minority there.
[gt:]

2. Is the assumption that the nonce is generated by one party and used
by the other correct? Or is
it just a random value from the sender? If the receiver first sends the
nonce to the requestor and then
it is used in the token, then this needs to be clear. 

[gt:]
[gt:] The nonce is intended to be a random value concocted by the sender
[gt:] for each message which includes the UsernameToken.  Perhaps this
[gt:] be explicitly stated here.
[gt:]

3. More generally, does this document need any processing rules stated?

4. How is Created timestamp defined [174]? Is it wsu:Timestamp or some
other schema dataType?

Some typos:
99s;information..;information.;
118s;SHA-1 has ;SHA-1 hash ;
183 & 201 update wsse, wsu namespaces in examples to match [87] Add wsu
to [87]?

[gt:] 
[gt:] A couple more typos:
[gt:]  + Two periods in the middle of line 106
[gt:]  + Bad line-break at 112/113 
[gt:]  + Missing period at end of line 130 
[gt:]  + Two periods at end of line 138
[gt:]


regards, Frederick
 
Frederick Hirsch
Nokia Mobile Phones



You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup
.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]