This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration each contain a "Security Considerations" section. These sections contain various bits of "pious advice" that have no normative value and little to do with the protocols to which they apply. If you understand the basics of web services security, these sections won't teach you anything new and don't provide any insight into the particular problems of securing their corresponding protocols. For example, the Security Considerations section of WS-Eventing says nothing about making sure that the sender of a Renew, GetStatus, or Unsubscribe request is the same entity as the sender of the Subscribe request that created the subscription that is being acted upon. Proposal 1: remove the "Security Considerations" sections from WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration. Proposal 2: rewrite the "Security Considerations" sections from WS-Eventing, WS-Transfer, WS-MetadataExchange, and WS-Enumeration along the following guidelines: 1. Identify the specific resources that need to be protected (e.g. subscriptions, enumeration contexts, etc.) 2. Describe common methods for protecting these resources including, but not limited to, the use of WS-Security and related technologies. Relate these methods to the protocol in question. 3. Identify any special challenges posed to (2) due to the nature of the protocols, etc.
Created attachment 865 [details] v1 of WS-Enumeration security section moved from 8273
Created attachment 866 [details] PDF v1 of WS-Enumeration security section moved from 8273
Created attachment 870 [details] v2 of WS-Enumeration security section source ODT file (w/changes tracked from previous proposal), a clean PDF of the proposal, and a PDF with changes visible
resolved as proposed in v2