Comments on WSS: SOAP Message Security

["Srinivas, Davanum M" <Davanum.Srinivas@ca.com>]

Title: Comments on WSS: SOAP Message Security

Anthony,

Here's are my comments on the latest draft that that you posted this morning.

#1: Lines 181-184: When will we figure out what to replace the "####"'s in the 2 namespaces? :)

#2: Line 293 (Figure line 002). SOAP namespace is declared as S11 but S:Envelope and S:Header is used. This is the same problem in MANY code examples.

#3: Line 326 (Figure line 026): xmlns:wsu needs to be defined somewhere.

#4: Line 335: replace "<Security>" with "<wsse:Security>"

#5: Line 428 and 429: "S:role" is in the wrong font.

#6: Lines 445-454: Need to define "xmlns:wsse" and "xmlns:S"

#7: Line 462: Shouldn't there be an entry for "/wsse:Security/@S:mustUnderstand"?

#8: Line 472: replace "RECCOMENDED" with "RECOMMENDED"

#9: Line 524: Should there be a /wsse:UsernameToken/Username/{any}?

#10: Line 540: Could we add a wsu:Id in the example?

#11: Line 536-547: Need to define xmlns:wsse, xmlns:wsu in the example.

#12: Line 586: Is there a "#HexBinary"??? If #Base64Binary is the default, what are the other options? :)

#13: Line 591: Should there be a /wsse:BinarySecurityToken/{any} as well

#14: Line 748: Is there a "#HexBinary"??? If #Base64Binary is the default, what are the other options? :)

#15: Line 752: Should there be a /wsse:SecurityTokenReference/KeyIdentifier/{any}?

#16: Line 780-795: Need to define "xmlns:wsse" and "xmlns:wsu" in the example.

#17: Line 808: Replace "RECOMMENED" with "RECOMMENDED"

#18: Line 808: Replace "KeyIdentifiers" with "<wsse:KeyIdentifier>'s"

#19: Line 810: Replace "<X509SubjectName>" with "<ds:X509SubjectName>"

#20: Line 823: Replace "SecurityTokenReference" with "<wsse:SecurityTokenReference>"

#21: Line 841: Add "[XMLSIG]" at the end of the line.

#22: Line 875: Change the font for xml:lang and xml:base to make it more readable.

#23: Line 886: Change the font for xsi:type to make it more readable. Also xsi is not defined in the table at line 193

#24: Line 948: *** BIGGIE *** - need to move away from schemas.xmlsoap.org and use the oasis namespace just like we do for wsse and wsu namespaces

#25: Line 973: Same as #24

#26: Line 1004: Same as #24

#27: Line 1007: Add "[XMLSIG]" to the end of the line

#28: Line 1011: Replace "ds:CanonicalizationMethod" with "<ds:CanonicalizationMethod>"

#29: Line 1016: Replace "wsse:TransformationParameters" with "<wsse:TransformationParameters>"

#30: Line 1016: *** BIGGIE *** - secext.xsd does not define "<wsse:TransformationParameters>" it does however define a TransformationProperties...????

#31: Line 1019: Replace "wsse:SecurityTokenReference" with "<wsse:SecurityTokenReference>"

#32: Line 1023: Replace "<wsse:BinarySecurityToke" with ""<wsse:BinarySecurityToken>"

#33: Line 1036: Add "[XMLSIG]" to the end of the line.

#34: Line 1052-1094: Need to define xmlns:wsse, xmlns:wsu and xmlns:ds

#35: Line 1110: Add "[XMLENC]" to the end of the line.

#36: Line 1128-1147: Need to define xmlns:wsse, xmlns:xenc and xmlns:ds

#37: Line 1161-1189: Need to define xmlns:wsse, xmlns:xenc and xmlns:ds

#38: Line 1161-1189: the text talks about a RefernenceList, should we enhance the sample to show how a ReferenceList would look like?

#39: Line 1199: Replace "<Security>" with "<wsse:Security>"

#40: Line 1210: Replace "<Security>" with "<wsse:Security>"

#41: Line 1212: Change the font for "<wsse:Security>"

#42: Line 1223: Replace "<SecurityTokenReference>" with "<wsse:SecurityTokenReference>"

#43: Line 1243: Replace "<ReferenceList>" with "<wsse:ReferenceList>"

#43: Line 1243: Replace "<EncryptedKey>" with "<wsse:EncryptedKey>"

#44: Line 1275: Change font for "<wsu:Timestamp>"

#45: Line 1278-1282: Should we add wsse:Nonce to the example? BTW, Where are Nonce's discussed in the spec? Appendix A just has wsu namespace stuff

#46: Line 1289: Replace "Timestamp" with "<wsu:Timestamp>"

#47: Line 1298: Replace "Timestamp" with "<wsu:Timestamp>"

#49: Line 1302: Change font for "<wsu:MessageExpired>"

#50: Line 1329-1343: Should we add wsse:Nonce to the example? BTW, Where are Nonce's discussed in the spec? Appendix A just has wsu namespace stuff

#51: Line 1350: Need to define xmlns:wsse, xmlns:wsu, xmlns:xenc and xmlns:ds

#52: Line 1456: Replace "(057)" with "(059)"

#53: Line 1458: Replace "(059)" with "(060)"

#54: Line 1480: Change font for "env:Sender" (should env be S12?)

#55: Line 1481: Replace "Texst" with "Text"

#56: Line 1579: Replace "<wsu:Ids>" with "<wsu:Id>'s"

#57: Line 1591: Replace "EncryptedKey" with "<xenc:EncryptedKey>"

#58: Line 1595: Change font for "wsu:Id" AND add angle brackets as well.

#59: Line 1598: "wsu:Id" -> "<wsu:Id>"

#60: Line 1600: dateTime -> "xsd:dateTime"?

#61: Line 1727: Table is missing for example "wsu:TimestampType" which is in the xsd file

Thanks,
dims

Davanum Srinivas
Computer Associates
Senior Architect, Web Services Group
Tel: +1 508 628 8251
davanum.srinivas@ca.com