- From: Marc Hadley <Marc.Hadley@Sun.COM>
- Date: Tue, 30 Sep 2003 12:12:26 -0400
- To: xml-dist-app@w3.org
In fulfillment of my action item from a recent telcon, the following is my initial review of the third part of the Web Services Security committee specification for consideration by the XMLP WG. Regards, Marc. Web Services Security - W3C XMLP WG Review ------------------------------------------ This review refers to Web Services Security: X.509 Token Profile located at http://www.oasis-open.org/committees/download.php/3214/WSS- X509%20draft%2010.pdf linked from the WSS TC homepage at: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss The comments follow document order, I have indicated the sections of the document and line numbers where appropriate. Meta ---- "Comments are welcome from all interested parties and may be submitted to the WSS TC comment list at wss-comment@lists.oasis-open.org . If you are not yet subscribed to this list you will have to subscribe in order to post a comment; send a message to wss-comment-subscribe@lists.oasis-open.org Any comments made can be viewed at http://lists.oasis-open.org/archives/wss-comment/" It is counter productive to force commentators to join a mailing list in order to post comments on a public draft - this will put off many casual reviewers. If the TC is serious about gathering public input on the documents then the list should be open to non-subscribers. Web Services Security: X.509 Token Profile ------------------------------------------ General Despite referring to SOAP 1.2, most, if not all, of the examples and namespace URIs are taken from previous versions of SOAP or early drafts of the SOAP 1.2 Recommendation - a pass through the document to ensure alignment with the SOAP 1.2 Recommendation is required. Status The TC home page describes documents that have achieved committee spec status. However the link points to a document whose status section indicates it is an 'interim draft'. Shouldn't the status section reflect the committee spec status ? 2.1 Notational Conventions 142 "This document uses the notational conventions defined in SOAP Message Security [WS-Security].": SOAP Message Security is colored blue, the reason for this isn't clear. I suspect its something related to the following citation, but that is already captured in the [WS-Security]. 148 "The XML namespace URIs": XML namespace is colored blue, perhaps this should be followed by [XML-ns] ? Further occurances of this are not noted, the editors need to settle on a single citation format. 151, 152 Its surprising to see the WSS namespace URIs using the xmlsoap.org domain. This domain is the property of Microsoft Corp and they maintain control over what such namespace URI resolve to. For an OASIS standard one would expect namespace URIs to use the oasis-open.org domain instead. 153 The SOAP namespace is out of date, needs updating to the SOAP 1.2 Recommendation namespace. 238, 285, 362 Update envelope namespace to SOAP 1.2 Recommendation namespace 3.3.1 Key Identifier 233 "Consequently implementations that use this form of reference within a signature SHOULD employ the wsse:SecurityTokenReference deferencing transform within a core barename XPointer reference to the signature key information in order to ensure that the referenced certificate is signed, and not just the ambiguous reference.": Editorial s/deferencing/dereferencing/. This could do with some rewording to make the intent clear, spelling out exactly what is being recommended (signing the ds:KeyInfo via an Xpointer reference along with the actual data to be signed ??). Also a reference to the definition of the wsse:SecurityTokenReference dereferencing transform would be useful here. 4 References It would be useful to give URLs to those referenced specifications that are available online. 417 SOAP reference is to SOAP 1.1, should be to SOAP 1.2 Recommendation. 426, 427 references need to be filled in. -- Marc Hadley <marc.hadley@sun.com> Web Technologies and Standards, Sun Microsystems.
Received on Tuesday, 30 September 2003 12:12:31 UTC