[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx-comment] Policy to require persisted trace logencryption?
Thanks Hal - very quick response. Is there much chance of the scope being increased or is it limited by charter? I would think this would put off many from using web services if they cannot ensure encryption of the message in a trace as well as on the wire. I'd compare it with what seems to be a better scope for security in the ebXML stack, such as ebBP where there is scope to cover how the message is treated *after* it is received. Is there some reason this kind of thing cannot be applied to other web services too? ------------------------------------------------------------ Stephen Green Senior IT Officer Bristol City Council Room G45, Romney House Romney Avenue Bristol BS7 9TB Tel: 0117 922 3794 Fax: 0117 922 4877 Email: stephen_green@bristol.gov.uk >>> "Hal Lockhart" <hlockhar@bea.com> 02/04/08 15:33 >>> At the current time, the scope of WS-SecurityPolicy (and in fact the entire family of WS-Security specifications) is the security mechanisms applied to messages passing between a Web Service Consumer and a Web Service. Thus the treatment of log, audit or trace files or their very existence is out of scope as are other issues such as the Authorization technology used, how stored application data is protected and which Token issuers are trusted. Hal > -----Original Message----- > From: Stephen Green [mailto:stephen.green@bristol.gov.uk] > Sent: Wednesday, April 02, 2008 9:35 AM > To: ws-sx-comment@lists.oasis-open.org > Subject: [ws-sx-comment] Policy to require persisted trace log encryption? > > Greetings WS-SX TC > > I've a question/comment regarding web services security policies. > > I would expect, rightly or wrongly, that a there would be a policy to > require > that a web server handling a web service encrypt all messages for a > particular web service in *traces*. Is this within scope for ws security > policy > specifications and is it already handled? Is it part of a security policy > scope > to include the conformance requirement that for a certain encryption > policy > in a web service the traces too are encrypted? If not then would it not be > the ideal for the scope to be increased to cover this, when such trace > logs > are persisted and used for ongoing monitoring in production use? > > As there are reasons to have traces still operating in production > environments > (such as monitoring, perhaps for audit reasons) it seems reasonable that > a security policy covering encryption of all or part of the ws message > have a conformance requirement that the same policy be enforced in the > trace > for 'end-to-end' security. Maybe if there is no such requirement for > existing > policies then there would seem to me ample reason to have a new policy > for which this applies. Maybe it could be of such granularity that it can > be > applied to just certain parts of the message, like with signatures, say. > > I previously asked / comented on W3C's WS-Policy list but was directed > to this TC. > > http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html > > Best regards > > > > > ------------------------------------------------------------ > Stephen Green > > Senior IT Officer > Bristol City Council > Room G45, Romney House > Romney Avenue > Bristol BS7 9TB > Tel: 0117 922 3794 > Fax: 0117 922 4877 > Email: stephen_green@bristol.gov.uk > > > > ______________________________________________________________________ > 'Do it online' with our growing range of online services - > http://www.bristol.gov.uk/services > > Sign-up for our email bulletin giving news, have-your-say and event > information at: http://www.bristol.gov.uk/newsdirect > > Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast > > -- > This publicly archived list offers a means to provide input to the > OASIS Web Services Secure Exchange (WS-SX) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > List help: ws-sx-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws- > sx -- This publicly archived list offers a means to provide input to the OASIS Web Services Secure Exchange (WS-SX) TC. In order to verify user consent to the Feedback License terms and to minimize spam in the list archive, subscription is required before posting. Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org List help: ws-sx-comment-help@lists.oasis-open.org List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx ______________________________________________________________________ 'Do it online' with our growing range of online services - http://www.bristol.gov.uk/services Sign-up for our email bulletin giving news, have-your-say and event information at: http://www.bristol.gov.uk/newsdirect Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast ______________________________________________________________________ 'Do it online' with our growing range of online services - http://www.bristol.gov.uk/services Sign-up for our email bulletin giving news, have-your-say and event information at: http://www.bristol.gov.uk/newsdirect Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]