[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx-comment] Policy to require persisted trace log encryption?
At the current time, the scope of WS-SecurityPolicy (and in fact the entire family of WS-Security specifications) is the security mechanisms applied to messages passing between a Web Service Consumer and a Web Service. Thus the treatment of log, audit or trace files or their very existence is out of scope as are other issues such as the Authorization technology used, how stored application data is protected and which Token issuers are trusted. Hal > -----Original Message----- > From: Stephen Green [mailto:stephen.green@bristol.gov.uk] > Sent: Wednesday, April 02, 2008 9:35 AM > To: ws-sx-comment@lists.oasis-open.org > Subject: [ws-sx-comment] Policy to require persisted trace log encryption? > > Greetings WS-SX TC > > I've a question/comment regarding web services security policies. > > I would expect, rightly or wrongly, that a there would be a policy to > require > that a web server handling a web service encrypt all messages for a > particular web service in *traces*. Is this within scope for ws security > policy > specifications and is it already handled? Is it part of a security policy > scope > to include the conformance requirement that for a certain encryption > policy > in a web service the traces too are encrypted? If not then would it not be > the ideal for the scope to be increased to cover this, when such trace > logs > are persisted and used for ongoing monitoring in production use? > > As there are reasons to have traces still operating in production > environments > (such as monitoring, perhaps for audit reasons) it seems reasonable that > a security policy covering encryption of all or part of the ws message > have a conformance requirement that the same policy be enforced in the > trace > for 'end-to-end' security. Maybe if there is no such requirement for > existing > policies then there would seem to me ample reason to have a new policy > for which this applies. Maybe it could be of such granularity that it can > be > applied to just certain parts of the message, like with signatures, say. > > I previously asked / comented on W3C's WS-Policy list but was directed > to this TC. > > http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html > > Best regards > > > > > ------------------------------------------------------------ > Stephen Green > > Senior IT Officer > Bristol City Council > Room G45, Romney House > Romney Avenue > Bristol BS7 9TB > Tel: 0117 922 3794 > Fax: 0117 922 4877 > Email: stephen_green@bristol.gov.uk > > > > ______________________________________________________________________ > 'Do it online' with our growing range of online services - > http://www.bristol.gov.uk/services > > Sign-up for our email bulletin giving news, have-your-say and event > information at: http://www.bristol.gov.uk/newsdirect > > Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast > > -- > This publicly archived list offers a means to provide input to the > OASIS Web Services Secure Exchange (WS-SX) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > List help: ws-sx-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws- > sx
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]