The Security Profile - Secure Channel (Sep 28 draft) has a set of statements, which elaborate on the compliance statements, along the lines of "Ciphersuites listed in Table 3 in TLS-Guideline [TLS Guidelines] meet criteria of R0XXX." We discussed these statements last Thursday and it was stated that such statements are not intended to be normative. I took an action to rewrite the text to make it clearer that these are not normative statements. The problem I have after looking at the text again (incl the compliance statements) and also looking at the WS-I BSP is that it does not help people wishing to implement the Secure Channel profile if these statements are not normative and if they do not describe concretely which suites should be used (or not). Saying 'do not use known insecure suites' or 'only use secure ones' are motherhood statements. In any case they are not really testable which is one point of compliance statements. Also the WS-I BSP has some discussion and normative statements in sec.3.2 about TLS/SSL ciphersuites and since the Secure Channel states that it "extends the WS-I Basic Security Profile 1.0" I became unsure about the relation of the various compliance statements in the Secure Channel and the statements in the WS-I BSP is. In short, sorry, can't do. I am not a security person... ;-) Maybe we should discuss this issue again on the next call this Thursday. (Dave? Alan? Takuya? Frank!) Andreas