OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [wss] Username token profile comments





Frederick,

Do you have proposed text so we can close ?

Anthony Nadalin | work 512.436.9568 | cell 512.289.4122


|---------+---------------------------->
|         |           <Frederick.Hirsch|
|         |           @nokia.com>      |
|         |                            |
|         |           07/14/2003 03:02 |
|         |           PM               |
|---------+---------------------------->
  >----------------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                              |
  |       To:       <wss@lists.oasis-open.org>                                                                                                   |
  |       cc:                                                                                                                                    |
  |       Subject:  [wss] Username token profile comments                                                                                        |
  >----------------------------------------------------------------------------------------------------------------------------------------------|




I have a couple of comments on the Username Token Profile, draft 3, 30 June
2003.

1. Why is it recommended that both nonce and creation timestamp be used
[122] instead of one or the other?

Does recommending both put a burden on implementations, especially with
regard to timestamp management and
possible synchronization? Isn't a nonce adequate for replay attacks when
chosen? Is there rationale that should
be stated?

2. Is the assumption that the nonce is generated by one party and used by
the other correct? Or is
it just a random value from the sender? If the receiver first sends the
nonce to the requestor and then
it is used in the token, then this needs to be clear.

3. More generally, does this document need any processing rules stated?

4. How is Created timestamp defined [174]? Is it wsu:Timestamp or some
other schema dataType?

Some typos:
99s;information..;information.;
118s;SHA-1 has ;SHA-1 hash ;
183 & 201 update wsse, wsu namespaces in examples to match [87] Add wsu to
[87]?


regards, Frederick

Frederick Hirsch
Nokia Mobile Phones



You may leave a Technical Committee at any time by visiting
http://www.oasis-open.org/apps/org/workgroup/wss/members/leave_workgroup.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]