- From: Marc Hadley <Marc.Hadley@Sun.COM>
- Date: Tue, 14 Oct 2003 17:03:52 -0400
- To: xml-dist-app@w3.org
Here's the full WSS review with Noah's comments merged in. Regards, Marc. Web Services Security - W3C XMLP WG Review ------------------------------------------ This review refers to the Web Services Security committee specifications linked from the WSS TC homepage at: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss The comments follow document order and indicate the sections of the document and line numbers where appropriate. Significant/serious issues are called out with ***, other issues are mainly editorial in nature. Meta ---- "Comments are welcome from all interested parties and may be submitted to the WSS TC comment list at wss-comment@lists.oasis-open.org . If you are not yet subscribed to this list you will have to subscribe in order to post a comment; send a message to wss-comment-subscribe@lists.oasis-open.org Any comments made can be viewed at http://lists.oasis-open.org/archives/wss-comment/" It is counter productive to force commentators to join a mailing list in order to post comments on a public draft - this will put off many casual reviewers. If the TC is serious about gathering public input on the documents then the list should be open to non-subscribers. Web Services Security: SOAP Message Security -------------------------------------------- This review refers to Web Services Security: SOAP Message Security located at http://www.oasis-open.org/committees/download.php/3281/WSS- SOAPMessageSecurity-17-082703-merged.pdf General Needs a good proofreading session. There are numerous grammatical and punctuation errors, some of which are noted below. SOAP 1.2 is the "Recommendation"-level version of SOAP, and we believe that WSS should be clear in its support for SOAP 1.2 as well as SOAP 1.1. Furthermore, among the changes that we believe to be improvements in SOAP 1.2 was the more careful use of terminology and the more careful presentation of a rigorous processing model. While we clearly understand the need for WSS to support SOAP 1.1 as well as SOAP 1.2, we strongly urge you to use SOAP 1.2 terminology wherever possible for abstractions such as nodes, intermediaries, roles, etc. We furthermore encourage you to refer wherever appropriate to the SOAP 1.2 processing model, faults, etc. In many cases we believe that this will aid not just in the use of WSS with SOAP 1.2, but in the precise presentation of the use of WSS with SOAP 1.1 as well (since in many cases SOAP 1.1 has no precise explanation of terms that are carefully introduced in SOAP 1.2.) Where SOAP 1.1 differs in its useage or terminology from SOAP 1.2, we suggest that you clearly explain the use of WSS in both environments. Despite referring to SOAP 1.2, most, if not all, of the examples and namespace URIs are taken from previous versions of SOAP or early drafts of the SOAP 1.2 Recommendation - a pass through the document to ensure alignment with the SOAP 1.2 Recommendation is required. Status The TC home page describes documents that have achieved committee spec status. However the link points to a document whose status section indicates it is an 'interim draft'. Shouldn't the status section reflect the committee spec status ? Abstract "No specific type of security token is required the specification is designed to be extensible (e.g. support multiple security token formats).": insert a comma after 'required', change 'e.g.' to 'i.e. to'. 1. Introduction *** The introduction talks about SOAP extensions. For consistency with SOAP 1.2, it should instead use the SOAP 1.2 terminology of features and modules. See section 3 of SOAP 1.2 Part 1. 110 "This specification provides three main mechanisms: ability to send security token as part...": 'a security token' or 'security tokens'. 1.1.1 Requirements 139, looks like this should be part of the bulletted list rather than a standalone paragraph. 2. Notational Conventions Throughout the document certain words and phrases are highlighted in blue or red. E.g. the word SOAP is often highlighted in blue. There is no mention of any notational convention applicable to this coloring so its not clear if it has any particular meaning or intent. When printed in black and white its unlikely that such color information will be visible so it would be better to use some other typographic convention, e.g. italics or bold. On further reading it seems that blue coloring is intended to convey a bibiographic citation - a better means of indicating this is required. Lines 150-155 seem to be in a different font though the reason for this is unclear. 2.2 Namespaces *** 170, 171: Its surprising to see the WSS namespace URIs using the xmlsoap.org domain. This domain is the property of Microsoft Corp and they maintain control over what such namespace URI resolve to. For an OASIS standard one would expect namespace URIs to use the oasis-open.org domain instead. 175: Update the soap namespace to use the one from the SOAP 1.2 Recommendation. 2.3 Terminology *** 185 "End-To-End Message Level Security - End-to-end message level security is established when a message that traverses multiple applications within...": We have suggested above the careful use of SOAP 1.2 terminology, and we believe that this paragraph is an example. SOAP 1.2 defines the SOAP message path as "The set of SOAP nodes through which a single SOAP message passes. This includes the initial SOAP sender, zero or more SOAP intermediaries, and an ultimate SOAP receiver." A single SOAP message doesn't traverse multiple applications unless they are SOAP intermediaries, if they are not then each application-application interaction is effectively a separate SOAP message exchange. 3.2 Message Protection 252 "This document defines syntax and semantics of signatures within <wsse:Security> element.": 'a ... element' or 'the ... element'. 253 "This document does not specify any signature appearing outside of <wsse:Security> element.": 'a ... element' or 'the ... element'. *** SOAP 1.2 is XML Infoset based, SOAP bindings are required to preserve SOAP message infosets when transferring messages. In order to properly integrate with SOAP, the SOAP Message Security specifications need to be recast in Infoset terms. This will require the specification to normatively state the mapping from XML Infoset to the data object (typically an XPath nodeset) used as input to the constituent cryptographic operations (e.g. C14N). 3.3 Invalid or Missing Claims 255 "The message recipient SHOULD reject a message with an invalid signature, a message that is missing necessary claims and a message whose claims have unacceptable values as such messages are unauthorized (or malformed) message..": Bad grammar, replace with something like "A message recipient SHOULD reject messages containing invalid signatures, messages missing necessary claims or messages whose claims have unacceptable values. Such messages are unauthorized (or malformed)." 3.4 Example Example uses a SOAP 1.1 envelope, change to use SOAP 1.2. 5 Security Header 400 "The <wsse:Security> header block provides a mechanism for attaching security-related information targeted at a specific recipient in a form of a SOAP role.": change 'in a form of a' to 'in the form of a'. *** 406 "a message MAY have multiple <wsse:Security> header blocks if they are targeted for separate recipients." why can't a message contain multiple wsse:Security header blocks targetted at the same recipient, this seems like an uneccessary/arbitrary restriction. In addition it requires intermediaries to modify header blocks not targetted at them if they wish to insert security information targetted at a role for which there already exists a wsse:Security header block. An alternative design leveraging the role, relay capabilities of SOAP 1.2 is recommended. *** 410 "The <wsse:Security> header block without a specified S:role MAY be consumed by anyone, but MUST NOT be removed prior to the final destination or endpoint." What does 'consumed' mean. SOAP 1.2 makes it clear that SOAP headers without a role attribute are equivalent to those with a role of "http://www.w3.org/2003/05/soap-envelope/role/ultimateReceiver". In both cases the ultimate receiver of the message is the target of the header block. *** 450 "All compliant implementations MUST declare which profiles they support": how must they declare this ? This seems like an untestable assertion and should probably be dropped. *** 455 "The optional mustUnderstand SOAP attribute on Security header simply means you are aware of the Web Services Security: SOAP Message Security specification, and there are no implied semantics.": No ! The mustUnderstand attribute has the semantics as defined by the SOAP 1.2 specification. All SOAP nodes MUST abide by the SOAP processing model including generation of mustUnderstand faults if the header block is not understood. SOAP modules and features cannot override these semantics. 6.2 Username Token 495 "This is an extensibility mechanism to allow additional attributes, based on schemas, to be the <wsse:Username> element.": change 'to be the' to 'to be added to the'. *** 503 "All compliant implementations MUST be able to process a <wsse:UsernameToken> element." The element is extensible, what should compliant implementations do with extensions they don't understand - ignore them, fault, ... Such extensibility semantics must be defined for all extensible elements, just making things extensible isn't sufficient. 506 Change example to use SOAP 1.2 envelope instead of SOAP 1.1. 6.3 Binary Security Tokens 545 "This attribute is extensible using XML namespaces.": Confusing, the attribute isn't extensible in itself, but its value could be said to be extensible though really just saying the attributes type is a XML qualified name is probably sufficient. *** 548 /wsse:BinarySecurityToken/@EncodingType: this seems to be reinventing XML schema to a certain extent. Wouldn't it be better to allow child elements of BinarySecurityToken, one per type of encoding, that way a schema processor can verify the contents on behalf of the wsse processor. *** Also, why use qualified names instead of URIs for identifying encoding types. URIs don't have the problem of maintaining namespace prefixes that demands the ns declaration location requirements outlined in this section. Use of qualified names in element and attribute values complicates things... *** 558 "All compliant implementations MUST be able to process a <wsse:BinarySecurityToken> element.": same comment as for UsernameToken, what should an implementation do with a token of unknown type or one containing an extension that is not understood. 6.4 XML Tokens *** 578 "This section presents the basic principles and framework for using XML-based security tokens." Is this section complete ? There's no trace of any principles or a framework. 7.1 SecurityTokenReference Element *** Same comment as for BinarySecurityToken re extensibility semantics and requiring all implementations to be able to process the element. 8.1 Algorithms *** Surprised that there is no mention of SOAP Message Normalization (sop12-n11n) here: http://www.w3.org/TR/2003/NOTE-soap12-n11n-20030328/. How does SOAP Message Security cope with the variations that soap12-n11n aims to removes from messages ? *** 832 "Finally, if a sender wishes to sign a message before encryption, they should alter the order of the signature and encryption elements inside of the <wsse:Security> header.": alter in what way, this needs to be more specific. 839 "care MUST be taken in creating a signing policy that requires signing of parts of the message that might legitimately be altered in transit.": shouldn't this say "care MUST be taken not to create a signing policy that requires signing of parts of the message that might legitimately be altered in transit." ? 841 "SOAP applications MUST satisfy the following conditions: The application MUST be capable of processing the required elements defined in the XML Signature specification.": SOAP applications or WSS implementation ? The latter is used elsewhere in the specification. *** 855 "If overall message processing is to remain robust, intermediaries must exercise care that their transformations do not affect of a digitally signed component.": again a reference to soap12-n11n would seem to be in order here. Intermediaries are allowed to perform certain transformations, rather than implying the need for additional restrictions on intermediaires it seems more realistic to require normalization of the effects of such legal transformations. 9 Encryption 1026 "The combined process of encrypting portion(s) of a message and adding one of these a sub-elements is called an encryption step hereafter.": remove the 'a' between 'these' and 'sub-elements'. 9.3.1 Encryption *** The suggested process for performing encryption would only include the data from the original message that was encrypted. All other data would be ommitted, suggest adding an additional step to copy in all the non-encrypted data. *** 1166 "Parts of a SOAP message may be encrypted in such a way that they can be decrypted by an intermediary that is targeted by one of the SOAP headers. Consequently, the exact behavior of intermediaries with respect to encrypted data is undefined and requires an out-of-band agreement.": more detail required, why is the behaviour undefined ? Surely the intermediary would decrypt the parts as instructed by the corresponding header block ? 12 Error Handling *** The specification should define the values of the Fault/Reason/Text, Fault/Code/Value and Fault/Code/Subcode/Value EIIs. Presumably the defined codes are the allowable values of the Fault/Code/Subcode/Value EIIs ? What values should be used for each code in the corresponding Fault/Reason/Text, Fault/Code/Value EIIs ? 16 References 1545 [SOAP12] W3C Working Draft, 26 June 2002: This should be updated to point to the SOAP 1.2 Recomendation. Web Services Security: UsernamToken Profile ------------------------------------------- This review refers to Web Services Security: UsernameToken Profile located at http://www.oasis-open.org/committees/download.php/3154/WSS-Username-04- 081103-merged.pdf General Needs a thorough proof reading session. Throughout the document certain words and phrases are highlighted in blue. E.g. the word SOAP is often highlighted in blue. There is no mention of any notational convention applicable to this coloring so its not clear if it has any particular meaning or intent. On further reading it seems that blue coloring is intended to convey a bibiographic citation - a better means of indicating this is required. In some places the common [nn] format is used for citations, the document should adopt a single consistent style throughout. Note that none of the [nn] citations are actually listed in the references section of the document ! Status The TC home page describes documents that have achieved committee spec status. However the link points to a document whose status section indicates it is an 'interim draft'. Shouldn't the status section reflect the committee spec status ? 2. Notations and Terminology 2,1 Notational Conventions (should this be 2.1 - ie '.' instead of ',') ? Lines 54-59 seem to be in a different font though the reason for this is unclear. 67 "The current SOAP 1.2 namespace URI is used herein...": an old URI is used, needs updating to refelct the ns URI of the SOAP 1.2 Recommendation. 3. Terminology Repeats much of the text from section 2 ! It looks to me like section 3 should be a subsection of section 2. The repeated text needs to be removed. 3 UsernameToken Extensions 87 Section number seems to be 'compromised'. There are two section 3s and two section 4s ! Renumbering required. None of the subsections of the second section 3 are numbered - is this deliberate ? 93 "providing": the letters 'd' and 'i' are colored purple for some reason. 99 "For example, if a server does not have access to the clear text of a password but does have the hash, then the hash is considered a password equivalent and can be used anywhere where a "password" is indicated in this specification.": its not clear from this description whether such a hash should be contained in a wsse:PasswordText or wsse:PasswordDigest typed Password element ? Also note that the formatting of element names and types is not consistent. In some places a fixed width font is applied, in others no formatting is used. Is there any significance to such formatting chnages or does the document just need a consistency check ? 106 "..": there are quite a few instances of double full stops throughout the document, a simple search and replace of ".." for "." is required. 126 "1. First, it is recommended that web service providers reject any UsernameToken not using both nonce and creation timestamps.": recommended or RECOMMENDED as per RFC 2119 ? Same comment for next two points in the list and elsewhere in the document. Its not clear whether 'recommended' is being used in the RFC 2119 sense or not. Suggest adopting the notations as described in section 2 (and again in the first section 3). 186, 204 Both examples use out of date SOAP 1.2 namespace URIs. References A number of out of date references are listed including SOAP 1.2 and XML Encryption. These should be updated to reflect the latest versions. Web Services Security: X.509 Token Profile ------------------------------------------ This review refers to Web Services Security: X.509 Token Profile located at http://www.oasis-open.org/committees/download.php/3214/WSS- X509%20draft%2010.pdf General Despite referring to SOAP 1.2, most, if not all, of the examples and namespace URIs are taken from previous versions of SOAP or early drafts of the SOAP 1.2 Recommendation - a pass through the document to ensure alignment with the SOAP 1.2 Recommendation is required. Status The TC home page describes documents that have achieved committee spec status. However the link points to a document whose status section indicates it is an 'interim draft'. Shouldn't the status section reflect the committee spec status ? 2.1 Notational Conventions 142 "This document uses the notational conventions defined in SOAP Message Security [WS-Security].": SOAP Message Security is colored blue, the reason for this isn't clear. I suspect its something related to the following citation, but that is already captured in the [WS-Security]. 148 "The XML namespace URIs": XML namespace is colored blue, perhaps this should be followed by [XML-ns] ? Further occurances of this are not noted, the editors need to settle on a single citation format. 151, 152 Its surprising to see the WSS namespace URIs using the xmlsoap.org domain. This domain is the property of Microsoft Corp and they maintain control over what such namespace URI resolve to. For an OASIS standard one would expect namespace URIs to use the oasis-open.org domain instead. 153 The SOAP namespace is out of date, needs updating to the SOAP 1.2 Recommendation namespace. 238, 285, 362 Update envelope namespace to SOAP 1.2 Recommendation namespace 3.3.1 Key Identifier 233 "Consequently implementations that use this form of reference within a signature SHOULD employ the wsse:SecurityTokenReference deferencing transform within a core barename XPointer reference to the signature key information in order to ensure that the referenced certificate is signed, and not just the ambiguous reference.": Editorial s/deferencing/dereferencing/. This could do with some rewording to make the intent clear, spelling out exactly what is being recommended (signing the ds:KeyInfo via an Xpointer reference along with the actual data to be signed ??). Also a reference to the definition of the wsse:SecurityTokenReference dereferencing transform would be useful here. 4 References It would be useful to give URLs to those referenced specifications that are available online. 417 SOAP reference is to SOAP 1.1, should be to SOAP 1.2 Recommendation. 426, 427 references need to be filled in. -- Marc Hadley <marc.hadley@sun.com> Web Technologies and Standards, Sun Microsystems.
Received on Tuesday, 14 October 2003 17:05:14 UTC