[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] Username token profile comments
Just a couple of comments on Frederick's questions regarding nonce and creation timestamp ... - Gene Thurston - AmberPoint, Inc. -----Original Message----- From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] Sent: Monday, July 14, 2003 1:02 PM To: wss@lists.oasis-open.org Subject: [wss] Username token profile comments I have a couple of comments on the Username Token Profile, draft 3, 30 June 2003. 1. Why is it recommended that both nonce and creation timestamp be used [122] instead of one or the other? Does recommending both put a burden on implementations, especially with regard to timestamp management and possible synchronization? Isn't a nonce adequate for replay attacks when chosen? Is there rationale that should be stated? [gt:] [gt:] I believe the idea is as follows: Just using a nonce would be [gt:] adequate, but would require the server side to cache used nonces [gt:] forever, thus consuming memory resources. By having the service [gt:] configurable with a timestamp "freshness" limitation period, it [gt:] will only have to cache nonces for that long. This is laid out [gt:] in points 2 and 3 (lines 124-130), and I feel that the [gt:] explanation is sufficient, but perhaps I am in a minority there. [gt:] 2. Is the assumption that the nonce is generated by one party and used by the other correct? Or is it just a random value from the sender? If the receiver first sends the nonce to the requestor and then it is used in the token, then this needs to be clear. [gt:] [gt:] The nonce is intended to be a random value concocted by the sender [gt:] for each message which includes the UsernameToken. Perhaps this [gt:] be explicitly stated here. [gt:] 3. More generally, does this document need any processing rules stated? 4. How is Created timestamp defined [174]? Is it wsu:Timestamp or some other schema dataType? Some typos: 99s;information..;information.; 118s;SHA-1 has ;SHA-1 hash ; 183 & 201 update wsse, wsu namespaces in examples to match [87] Add wsu to [87]? [gt:] [gt:] A couple more typos: [gt:] + Two periods in the middle of line 106 [gt:] + Bad line-break at 112/113 [gt:] + Missing period at end of line 130 [gt:] + Two periods at end of line 138 [gt:] regards, Frederick Frederick Hirsch Nokia Mobile Phones You may leave a Technical Committee at any time by visiting http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup .php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]