> It's a slight overstatement -- very occasionally it is, in fact, necessary
> to make uncomfortably large specifications -- but for the most part, I agree
> with it.  Profiles are a pragmatic way to salvage something from a morbidly
> obese specification, but they also significantly increase compatibility
> problems: if you have n different profiles, then you have n^2-1 lines of
> incompability.

Sometimes a spec isn't huge, but is instead a simple container. Many
security specs are written this way.  For example, the IETF has profiled
X.509 certificates and Liberty is a profile of SAML.

Sometimes (again, in the security world), the data format itself must be
well-designed or it can be a weak spot.  For example, Bleichenbacher's
attack that made newspaper hbeadlines in 1998 was because he found a
weakness in how the RSA signature was padded to fill out a buffer. So,
once you get a secure data format, you often leave it "open" so that
various crypto mechanisms (RSA, DSA, etc) can be used within that data
format.  In this case, you need a profile to determine which crypto to
actually use.  An example of this is WS-I Basic Security Profile of
WS-Security, which itself profiles/specifies/refines how to use XML DSIG
and XML Encryption to cryptographically secure SOAP messages.

Hope this helps.
	/r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html