Review - Web Services Security: UsernameToken Profile (2 of 3) from Marc Hadley on 2003-09-24 (xml-dist-app@w3.org from September 2003)

From: Marc Hadley <Marc.Hadley@Sun.COM>
Date: Wed, 24 Sep 2003 15:52:01 -0400
To: xml-dist-app@w3.org
Message-id: <9069F725-EEC8-11D7-80D5-0003937568DC@sun.com>
In partial fulfillment of my action item from last week's telcon, the  
following is my initial review of the second part of the Web Services  
Security committee specification for consideration by the XMLP WG. A  
review of the final part will follow as time allows.

Regards,
Marc.

Web Services Security - W3C XMLP WG Review
------------------------------------------

This review refers to Web Services Security: UsernameToken Profile  
located at

http://www.oasis-open.org/committees/download.php/3154/WSS-Username-04- 
081103-merged.pdf

linked from the WSS TC homepage at:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

The comments follow document order, I have indicated the sections of  
the document and line numbers where appropriate.


Meta
----

"Comments are welcome from all interested parties and may be submitted  
to the WSS TC comment list at wss-comment@lists.oasis-open.org . If you  
are not yet subscribed to this list you will have to subscribe in order  
to post a comment; send a message to  
wss-comment-subscribe@lists.oasis-open.org Any comments made can be  
viewed at http://lists.oasis-open.org/archives/wss-comment/"

It is counter productive to force commentators to join a mailing list  
in order to post comments on a public draft - this will put off many  
casual reviewers. If the TC is serious about gathering public input on  
the documents then the list should be open to non-subscribers.


Web Services Security: SOAP Message Security
--------------------------------------------

General

Needs a thorough proof reading session. Throughout the document certain  
words and phrases are highlighted in blue. E.g. the word SOAP is often  
highlighted in blue. There is no mention of any notational convention  
applicable to this coloring so its not clear if it has any particular  
meaning or intent. On further reading it seems that blue coloring is  
intended to convey a bibiographic citation - a better means of  
indicating this is required. In some places the common [nn] format is  
used for citations, the document should adopt a single consistent style  
throughout. Note that none of the [nn] citations are actually listed in  
the references section of the document !

Status
The TC home page describes documents that have achieved committee spec  
status. However the link points to a document whose status section  
indicates it is an 'interim draft'. Shouldn't the status section  
reflect the committee spec status ?

2. Notations and Terminology

2,1 Notational Conventions (should this be 2.1 - ie '.' instead of ',')  
?

Lines 54-59 seem to be in a different font though the reason for this  
is unclear.

67 "The current SOAP 1.2 namespace URI is used herein...": an old URI  
is used, needs updating to refelct the ns URI of the SOAP 1.2  
Recommendation.

3. Terminology

Repeats much of the text from section 2 ! It looks to me like section 3  
should be a subsection of section 2. The repeated text needs to be  
removed.

3 UsernameToken Extensions

87 Section number seems to be 'compromised'. There are two section 3s  
and two section 4s ! Renumbering required. None of the subsections of  
the second section 3 are numbered - is this deliberate ?

93 "providing": the letters 'd' and 'i' are colored purple for some  
reason.

99 "For example, if a server does not have access to the clear text of  
a password but does have the hash, then the hash is considered a  
password equivalent and can be used anywhere where a "password" is  
indicated in this specification.": its not clear from this description  
whether such a hash should be contained in a wsse:PasswordText or  
wsse:PasswordDigest typed Password element ?

Also note that the formatting of element names and types is not  
consistent. In some places a fixed width font is applied, in others no  
formatting is used. Is there any significance to such formatting  
chnages or does the document just need a consistency check ?

106 "..": there are quite a few instances of double full stops  
throughout the document, a simple search and replace of ".." for "." is  
required.

126 "1. First, it is recommended that web service providers reject any  
UsernameToken not using both nonce and creation timestamps.":  
recommended or RECOMMENDED as per RFC 2119 ? Same comment for next two  
points in the list and elsewhere in the document. Its not clear whether  
'recommended' is being used in the RFC 2119 sense or not. Suggest  
adopting the notations as described in section 2 (and again in the  
first section 3).

186, 204 Both examples use out of date SOAP 1.2 namespace URIs.

References

A number of out of date references are listed including SOAP 1.2 and  
XML Encryption. These should be updated to reflect the latest versions.

--
Marc Hadley <marc.hadley@sun.com>
Web Technologies and Standards, Sun Microsystems.
Received on Wednesday, 24 September 2003 15:55:39 UTC