RE: Fresh draft of passwordInTheClear document. from Paul Cotton on 2006-12-11 (www-tag@w3.org from December 2006)

From: Paul Cotton <Paul.Cotton@microsoft.com>
Date: Mon, 11 Dec 2006 07:23:39 -0800
To: "Rice, Ed (ProCurve)" <ed.rice@hp.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4D66CCFC0B64BA4BBD79D55F6EBC22571FD4B7869F@NA-EXMSG-C103.redmond.corp.microsoft>

The following section still needs more editing:



2.2 Secure transfers

Soap communicates over HTTP and is subject to similar password security concerns.  While SSL/TLS secures SOAP based messages point to point, the issue can be more complex if SOAP intermediaries are used.   The TAG's position on SOAP remains consistent that passwords and sensitive information MUST to be transmitted in a secure manner and not as clear text.  If confidential information is to be sent as part of the SOAP package, publishers should either user SSL/TLS or XML Encryption for sensitive data elements.  Further information on security SOAP messages can be found in the document;  WS-I "message level Security' 3<http://passwordsInTheClear-52-20061009.html#WS-I%20Security> or on the Oasis Web Services Security page4<http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html#Oasis%20WSS#Oasis%20WSS>.



1. Change "Soap communicates" to "SOAP communicates".

2. Change "While SSL/TLS secures" to "While SSL/TSL can be used to secure"

3. Change " WS-I "message level Security'" to "WS-I "Security Challenges, Threats and Countermeasures Version 1.0" ".

4. The superscript references 3 and 4 do not appear to work and are not in the usual W3C style.

5. Change "Oasis Web Services Security page4<http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html#Oasis%20WSS#Oasis%20WSS>" to "OASIS Web Services Security TC home page" and fix the reference.



/paulc





Paul Cotton, Microsoft Canada

17 Eleanor Drive, Ottawa, Ontario K2E 6A3

Tel: (613) 225-5445 Fax: (425) 936-7329

mailto:Paul.Cotton@microsoft.com











> -----Original Message-----

> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of

> Rice, Ed (ProCurve)

> Sent: December 11, 2006 9:27 AM

> To: www-tag@w3.org

> Subject: Fresh draft of passwordInTheClear document.

>

>

> I've take everyone's feedback into consideration and have published

> another passwords in the clear document at;

>

> http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html

>

> I appreciate any additional feedback.

> -Ed

Received on Monday, 11 December 2006 15:23:55 UTC