W3C home > Mailing lists > Public > xml-dist-app@w3.org > September 2003

Review - Web Services Security: X.509 Token Profile (3 of 3)

From: Marc Hadley <Marc.Hadley@Sun.COM>
Date: Tue, 30 Sep 2003 12:12:26 -0400
To: xml-dist-app@w3.org
Message-id: <E24CA832-F360-11D7-B3D6-0003937568DC@sun.com>

In fulfillment of my action item from a recent telcon, the following is  
my initial review of the third part of the Web Services Security  
committee specification for consideration by the XMLP WG.

Regards,
Marc.

Web Services Security - W3C XMLP WG Review
------------------------------------------

This review refers to Web Services Security: X.509 Token Profile  
located at

http://www.oasis-open.org/committees/download.php/3214/WSS- 
X509%20draft%2010.pdf

linked from the WSS TC homepage at:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

The comments follow document order, I have indicated the sections of  
the document and line numbers where appropriate.

Meta
----

"Comments are welcome from all interested parties and may be submitted  
to the WSS TC comment list at wss-comment@lists.oasis-open.org . If you  
are not yet subscribed to this list you will have to subscribe in order  
to post a comment; send a message to  
wss-comment-subscribe@lists.oasis-open.org Any comments made can be  
viewed at http://lists.oasis-open.org/archives/wss-comment/"

It is counter productive to force commentators to join a mailing list  
in order to post comments on a public draft - this will put off many  
casual reviewers. If the TC is serious about gathering public input on  
the documents then the list should be open to non-subscribers.


Web Services Security: X.509 Token Profile
------------------------------------------

General
Despite referring to SOAP 1.2, most, if not all, of the examples and  
namespace URIs are taken from previous versions of SOAP or early drafts  
of the SOAP 1.2 Recommendation - a pass through the document to ensure  
alignment with the SOAP 1.2 Recommendation is required.

Status
The TC home page describes documents that have achieved committee spec  
status. However the link points to a document whose status section  
indicates it is an 'interim draft'. Shouldn't the status section  
reflect the committee spec status ?

2.1 Notational Conventions

142 "This document uses the notational conventions defined in SOAP  
Message Security [WS-Security].": SOAP Message Security is colored  
blue, the reason for this isn't clear. I suspect its something related  
to the following citation, but that is already captured in the  
[WS-Security].

148 "The XML namespace URIs": XML namespace is colored blue, perhaps  
this should be followed by [XML-ns] ? Further occurances of this are  
not noted, the editors need to settle on a single citation format.

151, 152 Its surprising to see the WSS namespace URIs using the  
xmlsoap.org domain. This domain is the property of Microsoft Corp and  
they maintain control over what such namespace URI resolve to. For an  
OASIS standard one would expect namespace URIs to use the  
oasis-open.org domain instead.

153 The SOAP namespace is out of date, needs updating to the SOAP 1.2  
Recommendation namespace.

238, 285, 362 Update envelope namespace to SOAP 1.2 Recommendation  
namespace

3.3.1 Key Identifier

233 "Consequently implementations that use this form of reference  
within a signature SHOULD employ the wsse:SecurityTokenReference  
deferencing transform within a core barename XPointer reference to the  
signature key information in order to ensure that the referenced  
certificate is signed, and not just the ambiguous reference.":  
Editorial s/deferencing/dereferencing/. This could do with some  
rewording to make the intent clear, spelling out exactly what is being  
recommended (signing the ds:KeyInfo via an Xpointer reference along  
with the actual data to be signed ??). Also a reference to the  
definition of the wsse:SecurityTokenReference dereferencing transform  
would be useful here.

4 References

It would be useful to give URLs to those referenced specifications that  
are available online.

417 SOAP reference is to SOAP 1.1, should be to SOAP 1.2 Recommendation.

426, 427 references need to be filled in.

--
Marc Hadley <marc.hadley@sun.com>
Web Technologies and Standards, Sun Microsystems.
Received on Tuesday, 30 September 2003 12:12:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:15 GMT