< Return to Ballot details

Vote Details

Ballot: Approve WS-Security v1.1 as an OASIS Standard
Some of the key observations :

a. It does not cover aspects associated with N-WAY Security Context that are communicating via multiple processes. i.e No provision for identifying the Processor ID.

b. Does not specify how the interoperability between Kerberos and PKI but only specifies within a security mode how the security can be taken into account? In other words it does not include Federation aspects.

c. Not clear how the specification addresses the multiple trust domain. i.e though the scope does not specify how the trust is established or determined, it does not explicitly mention, how it works in multiple trust domain.

Chapter 3.1 – Security Model:

Not clear whether this can be or to be extended in a Single Sign On context (While SSO servers) are designed to provide the security credentials. Even if so, will it cater to all models of SSO?
- Strong shared authentication
- Network authentication

Majority of Replay attacks, non- repudiation are considered beyond the scope of the specification. Without the inclusion of them, the specification looks more like a framework for specifying the location for signature and common mechanisms for signing the signature.

Chapter 4.0 – ID references

a. Could not understand the term “attribute extensibility”. It says it refers to XML signature. But why XML signature cannot be used when multi signature formats as well as multi party signatures are said to be in use?

b. Global wsu:id attribute can be explained more. How it is ensured Global? Does it mean - inter document uniqueness?

c. While mechanism for ID references integrated with SOAP message foundation and SOAP processors is ideal to reduce the dynamic Schema discovery and processing, will it be able to accomadate existing JINI compatable/ stacks?

d. Elaboration required on the below statement:

Implementations may rely on XML Schema validation to provide rudimentary enforcement for intra-document uniqueness. However, applications SHOULD NOT rely on schema validation alone to enforce uniqueness.

Chapter 8.0 - Signature:

Could not understand the relevance of Canonical and non-canonical algorithms specified. May be some more explanation be mentioned?

Chapter 10. 0 -- Timestamp:

It is mentioned the specification does not provide mechanism for specifying synchronization of time. In a distributed computation, this may not be acceptable in mission critical functionalities. Can the scope not include the processor instrumentation?