NEW ISSUE 3753: Example 1-1 is not a complete security policy

http://www.w3.org/Bugs/Public/show_bug.cgi?id=3753

Title

Example 1-1 is not a complete security policy


Description

Example 1-1 shows a simple policy with two security policy assertions in 
lines 03 and 04. According to WS-SecurityPolicy 1.2, section 7.1, these 
security policy assertions must be encapsulated by a policy that is 
nested inside an AlgorithmSuite assertion. The enclosing AlgorithmSuite 
assertions as well as suitable top-level assertions containing the 
AlgorithmSuite assertions are missing from example 1-1.

The examples in the following chapters build on this first example. 
Despite extensive research we did not find a policy that is sufficiently 
simple, can serve as a basis for the other examples, and still is a 
valid policy. We should still point out that the example given is an 
incomplete policy that only serves to illustrate how a policy could look 
like.


Justification

An example of a policy that claims to display a security policy but in 
fact violates the constraints of WS-SecurityPolicy causes unnecessary 
confusion among readers of both specifications.


Target

Web Services Policy Framework, section 1.2, example 1-1


Proposal

Replace "The following example illustrates a security policy expression 
using assertions defined in WS-SecurityPolicy [WS-SecurityPolicy]:"

by "The following example illustrates a security policy expression using
assertions defined in WS-SecurityPolicy [WS-SecurityPolicy] rather than 
a complete security policy:"

Received on Tuesday, 19 September 2006 15:08:07 UTC