RE: new version of Passwords from Paul Cotton on 2006-10-10 (www-tag@w3.org from October 2006)

From: Paul Cotton <Paul.Cotton@microsoft.com>
Date: Tue, 10 Oct 2006 13:27:22 -0700
To: Norman Walsh <Norman.Walsh@Sun.COM>, "Rice, Ed (ProCurve)" <ed.rice@hp.com>
CC: "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <4D66CCFC0B64BA4BBD79D55F6EBC22571E7DF51AB5@NA-EXMSG-C103.redmond.corp.microsoft>

Some more comments in the SOAP part of this finding:



2.2 Secure transfers

Soap communicates over HTTP and is subject to similar password security concerns.  While SSL/TLS secures SOAP bases messages point to point, the issue can be more complex if your using SOAP intermediaries.   The TAG's position on SOAP remains consistent however that passwords and sensitive information needs to be transmitted in a secure manner and not as clear text since this is visible to the intermediaries.  If confidential information is to be sent as part of the SOAP package, publishers should either user SSL/TLS or XML Encryption for sensitive data elements.  For a more detailed discussion, WS_Security provides a WS-I "message level Security' document3<http://www.w3.org/2001/tag/doc/passwordsInTheClear-52#WS-I%20Security#WS-I%20Security>.





A. "SOAP communicates over HTTP" - SOAP can be used over other transports.



B. s/secures SOAP bases messages/secures SOAP-based messages/



C. s/if your using/if you are using/



D. s/SOAP package/SOAP envelope/



E. s/WS_Security/WS-Security/



F. "For a more detailed discussion, WS_Security provides a WS-I "message level Security' document3<http://www.w3.org/2001/tag/doc/passwordsInTheClear-52#WS-I%20Security#WS-I%20Security>."



This sentence does not make sense.  WS-Security is an OASIS specification.  The document you reference was authored by the Basic Security Profile WG of WS-I.  I would recommend that you reference both documents.



/paulc



Paul Cotton, Microsoft Canada

17 Eleanor Drive, Ottawa, Ontario K2E 6A3

Tel: (613) 225-5445 Fax: (425) 936-7329

mailto:Paul.Cotton@microsoft.com











> -----Original Message-----

> From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of

> Norman Walsh

> Sent: October 10, 2006 12:40 PM

> To: www-tag@w3.org

> Subject: Re: new version of Passwords

>

> / Vincent Quint <Vincent.Quint@inrialpes.fr> was heard to say:

> | Thanks to Ed, a new version of the draft TAG finding Passwords in the

> Clear

> | is available for review at

> |

> |    http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

>

> Looks good, Ed. Only one substantive comment: didn't we agree to

> replace the Yankee Group reference with something more generic?

>

> The rest are editorial nits:

>

> s/about the user of/about the use of/

> s/and the needs to/and the need to/

> s/display, temporary/display and temporary/

> s/When passwords are/When a password is/

> s/some external secure systems/some external security systems/

> s/any organization who wishes/any organization that wishes/

> s/customers data/customer's data/

> s/secure transfers of/secure transfer of/

> s/prevent the user of/prevent the use of/

> s/developed by Netscape/developed by Netscape,/

> s/Soap/SOAP/

>

> I'm not sure how to parse "While SSL/TLS secures SOAP bases messages

> point to point" perhaps s/bases //?

>

> s/your using/you're using/

> s/SOAP package/SOAP message/ (just for consistency)

> s/WS_Security/WS Security/

>

> Is "message level Security' capitalized correctly? And note the

> missmatched quotes.

>

> s/stop some from/stop someone from/

>

> The cross references to references use superscripted numbers, but the

> numbers don't actually appear in the references.

>

>                                         Be seeing you,

>                                           norm

>

> --

> Norman Walsh

> XML Standards Architect

> Sun Microsystems, Inc.

Received on Tuesday, 10 October 2006 20:27:58 UTC