OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx] Issue 66: Security Policy Usecases

I apologize for the late feedback. I don't have anything major here, just some suggestions to tighten the doc up and a few clarifying questions.

- As has been discussed the tile is inaccurate. This document is really just "SecurityPolicy Examples". The title "SecurityPolicy Scenarios and Examples" would also be acceptable. In that case to really document scenarios there would need to be a lot more discussion in each section of the parties involved in a secure exchange. This would potentially include highlighting differences between a service's policy and an STS' policy. That might be more work than we want to undertake though. For one thing that starts to lead back to the road of illustrating the related message examples. I for one wouldn't look forward to the amount of work that would be. I certainly find the examples illustrative without that.

- Not all of the examples discuss the subject level the assertions apply to. That should be consistent across all of the examples.

- Some of the examples are not clear that they are showing optional assertions, as an example see 2.1.2 Use of SSL. Optional assertions should probably be called out in the text describing the example so as to not imply they would always be used.

- When referencing other docs a link should always be provided. Building a table of references to use throughout the doc would be better.

- In some WSS1.1 examples, for instance 2.14, the 1.0 token types are still being used. This is seems valid but the rationale behind the choice should be described in the text.
Some examples that show a specific version of WSS do not include the WSS assertion. See 2.3.1.1 for an example of this. It may be it is not relevant to the example. In that case it should be removed from the example title or explained in the text why it is not illustrated.

-----Original Message-----
From: Rich Levinson [mailto:rich.levinson@oracle.com]
Sent: Tuesday, September 12, 2006 5:15 PM
To: Marc Goodner
Cc: ws-sx@lists.oasis-open.org; Martin Gudgin; Hal Lockhart; Ashok Malhotra
Subject: Re: [ws-sx] Issue 66: Security Policy Usecases

Attached is updated version working draft 02 (dated internally at Sept 12, 2006) of the Security Policy Usecases document.

It includes responses to comments received from Martin and Symon ((emailed from Hal), I think Symon's question on asymmetric vs symmetric should be answered by the source referencing)

    (note: I had some problems with the Word comment feature, so
    please ignore the remnants of the original comments.).

It includes source references, where known, for where the use cases came from. These sources possibly may be used as examples of implementations that could use the associated policies, but that is not guaranteed at this time.

Finally, it includes a reworked section 2.3 for the SAML use cases.
In particular, the examples are intended to be consistent with the guidelines specified in the earlier email that addresses issue 101.

As always, comments, corrections, suggestions are welcome.

    Thanks,
    Rich Levinson
    Oracle

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]