RE: [ws-sx-comment] Policy to require persisted trace logencryption?

["Stephen Green" <stephen.green@bristol.gov.uk>]

Thanks Hal - very quick response. 

Is there much chance of the scope being increased or
is it limited by charter? I would think this would put off
many from using web services if they cannot ensure
encryption of the message in a trace as well as on the
wire. I'd compare it with what seems to be a better
scope for security in the ebXML stack, such as ebBP
where there is scope to cover how the message is
treated *after* it is received. Is there some reason
this kind of thing cannot be applied to other web
services too?


------------------------------------------------------------
Stephen Green

Senior IT Officer
Bristol City Council
Room G45, Romney House
Romney Avenue
Bristol  BS7 9TB
Tel: 0117 922 3794
Fax: 0117 922 4877
Email: stephen_green@bristol.gov.uk 



>>> "Hal Lockhart" <hlockhar@bea.com> 02/04/08 15:33 >>>
At the current time, the scope of WS-SecurityPolicy (and in fact the
entire family of WS-Security specifications) is the security mechanisms
applied to messages passing between a Web Service Consumer and a Web
Service. Thus the treatment of log, audit or trace files or their very
existence is out of scope as are other issues such as the Authorization
technology used, how stored application data is protected and which
Token issuers are trusted.

Hal

> -----Original Message-----
> From: Stephen Green [mailto:stephen.green@bristol.gov.uk] 
> Sent: Wednesday, April 02, 2008 9:35 AM
> To: ws-sx-comment@lists.oasis-open.org 
> Subject: [ws-sx-comment] Policy to require persisted trace log
encryption?
> 
> Greetings WS-SX TC
> 
> I've a question/comment regarding web services security policies.
> 
> I would expect, rightly or wrongly, that a there would be a policy to
> require
> that a web server handling a web service encrypt all messages for a
> particular web service in *traces*. Is this within scope for ws
security
> policy
> specifications and is it already handled? Is it part of a security
policy
> scope
> to include the conformance requirement that for a certain encryption
> policy
> in a web service the traces too are encrypted? If not then would it
not be
> the ideal for the scope to be increased to cover this, when such trace
> logs
> are persisted and used for ongoing monitoring in production use?
> 
> As there are reasons to have traces still operating in production
> environments
> (such as monitoring, perhaps for audit reasons) it seems reasonable
that
> a security policy covering encryption of all or part of the ws message
> have a conformance requirement that the same policy be enforced in the
> trace
> for 'end-to-end' security. Maybe if there is no such requirement for
> existing
> policies then there would seem to me ample reason to have a new policy
> for which this applies. Maybe it could be of such granularity that it
can
> be
> applied to just certain parts of the message, like with signatures,
say.
> 
> I previously asked / comented on W3C's WS-Policy list but was directed
> to this TC.
> 
> http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html 
> 
> Best regards
> 
> 
> 
> 
> ------------------------------------------------------------
> Stephen Green
> 
> Senior IT Officer
> Bristol City Council
> Room G45, Romney House
> Romney Avenue
> Bristol  BS7 9TB
> Tel: 0117 922 3794
> Fax: 0117 922 4877
> Email: stephen_green@bristol.gov.uk 
> 
> 
> 
> ______________________________________________________________________
> 'Do it online' with our growing range of online services -
> http://www.bristol.gov.uk/services 
> 
> Sign-up for our email bulletin giving news, have-your-say and event
> information at: http://www.bristol.gov.uk/newsdirect 
> 
> Watch webcasts of Council meetings at
http://www.bristol.gov.uk/webcast 
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org 
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org 
> List help: ws-sx-comment-help@lists.oasis-open.org 
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ 
> Feedback License:
http://www.oasis-open.org/who/ipr/feedback_license.pdf 
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php 
> Committee:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws- 
> sx


--
This publicly archived list offers a means to provide input to the
OASIS Web Services Secure Exchange (WS-SX) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org 
Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org 
List help: ws-sx-comment-help@lists.oasis-open.org 
List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ 
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf 
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php 
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx 

______________________________________________________________________
'Do it online' with our growing range of online services - http://www.bristol.gov.uk/services 

Sign-up for our email bulletin giving news, have-your-say and event information at: http://www.bristol.gov.uk/newsdirect 

Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast

______________________________________________________________________
'Do it online' with our growing range of online services - http://www.bristol.gov.uk/services 

Sign-up for our email bulletin giving news, have-your-say and event information at: http://www.bristol.gov.uk/newsdirect 

Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast