Re: Review - Web Services Security: UsernameToken Profile (2 of 3)

Sounds all good to me. JJ.

Marc Hadley wrote:

> 
> In partial fulfillment of my action item from last week's telcon, the  
> following is my initial review of the second part of the Web Services  
> Security committee specification for consideration by the XMLP WG. A  
> review of the final part will follow as time allows.
> 
> Regards,
> Marc.
> 
> Web Services Security - W3C XMLP WG Review
> ------------------------------------------
> 
> This review refers to Web Services Security: UsernameToken Profile  
> located at
> 
> http://www.oasis-open.org/committees/download.php/3154/WSS-Username-04- 
> 081103-merged.pdf
> 
> linked from the WSS TC homepage at:
> 
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
> 
> The comments follow document order, I have indicated the sections of  
> the document and line numbers where appropriate.
> 
> 
> Meta
> ----
> 
> "Comments are welcome from all interested parties and may be submitted  
> to the WSS TC comment list at wss-comment@lists.oasis-open.org . If you  
> are not yet subscribed to this list you will have to subscribe in order  
> to post a comment; send a message to  
> wss-comment-subscribe@lists.oasis-open.org Any comments made can be  
> viewed at http://lists.oasis-open.org/archives/wss-comment/"
> 
> It is counter productive to force commentators to join a mailing list  
> in order to post comments on a public draft - this will put off many  
> casual reviewers. If the TC is serious about gathering public input on  
> the documents then the list should be open to non-subscribers.
> 
> 
> Web Services Security: SOAP Message Security
> --------------------------------------------
> 
> General
> 
> Needs a thorough proof reading session. Throughout the document certain  
> words and phrases are highlighted in blue. E.g. the word SOAP is often  
> highlighted in blue. There is no mention of any notational convention  
> applicable to this coloring so its not clear if it has any particular  
> meaning or intent. On further reading it seems that blue coloring is  
> intended to convey a bibiographic citation - a better means of  
> indicating this is required. In some places the common [nn] format is  
> used for citations, the document should adopt a single consistent style  
> throughout. Note that none of the [nn] citations are actually listed in  
> the references section of the document !
> 
> Status
> The TC home page describes documents that have achieved committee spec  
> status. However the link points to a document whose status section  
> indicates it is an 'interim draft'. Shouldn't the status section  
> reflect the committee spec status ?
> 
> 2. Notations and Terminology
> 
> 2,1 Notational Conventions (should this be 2.1 - ie '.' instead of ',')  ?
> 
> Lines 54-59 seem to be in a different font though the reason for this  
> is unclear.
> 
> 67 "The current SOAP 1.2 namespace URI is used herein...": an old URI  
> is used, needs updating to refelct the ns URI of the SOAP 1.2  
> Recommendation.
> 
> 3. Terminology
> 
> Repeats much of the text from section 2 ! It looks to me like section 3  
> should be a subsection of section 2. The repeated text needs to be  
> removed.
> 
> 3 UsernameToken Extensions
> 
> 87 Section number seems to be 'compromised'. There are two section 3s  
> and two section 4s ! Renumbering required. None of the subsections of  
> the second section 3 are numbered - is this deliberate ?
> 
> 93 "providing": the letters 'd' and 'i' are colored purple for some  
> reason.
> 
> 99 "For example, if a server does not have access to the clear text of  
> a password but does have the hash, then the hash is considered a  
> password equivalent and can be used anywhere where a "password" is  
> indicated in this specification.": its not clear from this description  
> whether such a hash should be contained in a wsse:PasswordText or  
> wsse:PasswordDigest typed Password element ?
> 
> Also note that the formatting of element names and types is not  
> consistent. In some places a fixed width font is applied, in others no  
> formatting is used. Is there any significance to such formatting  
> chnages or does the document just need a consistency check ?
> 
> 106 "..": there are quite a few instances of double full stops  
> throughout the document, a simple search and replace of ".." for "." is  
> required.
> 
> 126 "1. First, it is recommended that web service providers reject any  
> UsernameToken not using both nonce and creation timestamps.":  
> recommended or RECOMMENDED as per RFC 2119 ? Same comment for next two  
> points in the list and elsewhere in the document. Its not clear whether  
> 'recommended' is being used in the RFC 2119 sense or not. Suggest  
> adopting the notations as described in section 2 (and again in the  
> first section 3).
> 
> 186, 204 Both examples use out of date SOAP 1.2 namespace URIs.
> 
> References
> 
> A number of out of date references are listed including SOAP 1.2 and  
> XML Encryption. These should be updated to reflect the latest versions.
> 
> -- 
> Marc Hadley <marc.hadley@sun.com>
> Web Technologies and Standards, Sun Microsystems.
>

Received on Thursday, 25 September 2003 03:58:12 UTC