[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [ws-sx-comment] Policy to require persisted trace logencryption?
It is limited by charter, but in fact all of the WS-* specs are limited to Interoperability between Web Service Consumers and Web Services. Internal behavior of any type is not specified by SOAP, WSDL, WS-Addressing, WS-RM, WS-Security, etc. Hal > -----Original Message----- > From: Stephen Green [mailto:stephen.green@bristol.gov.uk] > Sent: Wednesday, April 02, 2008 10:56 AM > To: Hal Lockhart; ws-sx-comment@lists.oasis-open.org > Subject: RE: [ws-sx-comment] Policy to require persisted trace > logencryption? > > Thanks Hal - very quick response. > > Is there much chance of the scope being increased or > is it limited by charter? I would think this would put off > many from using web services if they cannot ensure > encryption of the message in a trace as well as on the > wire. I'd compare it with what seems to be a better > scope for security in the ebXML stack, such as ebBP > where there is scope to cover how the message is > treated *after* it is received. Is there some reason > this kind of thing cannot be applied to other web > services too? > > > ------------------------------------------------------------ > Stephen Green > > Senior IT Officer > Bristol City Council > Room G45, Romney House > Romney Avenue > Bristol BS7 9TB > Tel: 0117 922 3794 > Fax: 0117 922 4877 > Email: stephen_green@bristol.gov.uk > > > > >>> "Hal Lockhart" <hlockhar@bea.com> 02/04/08 15:33 >>> > At the current time, the scope of WS-SecurityPolicy (and in fact the > entire family of WS-Security specifications) is the security mechanisms > applied to messages passing between a Web Service Consumer and a Web > Service. Thus the treatment of log, audit or trace files or their very > existence is out of scope as are other issues such as the Authorization > technology used, how stored application data is protected and which > Token issuers are trusted. > > Hal > > > -----Original Message----- > > From: Stephen Green [mailto:stephen.green@bristol.gov.uk] > > Sent: Wednesday, April 02, 2008 9:35 AM > > To: ws-sx-comment@lists.oasis-open.org > > Subject: [ws-sx-comment] Policy to require persisted trace log > encryption? > > > > Greetings WS-SX TC > > > > I've a question/comment regarding web services security policies. > > > > I would expect, rightly or wrongly, that a there would be a policy to > > require > > that a web server handling a web service encrypt all messages for a > > particular web service in *traces*. Is this within scope for ws > security > > policy > > specifications and is it already handled? Is it part of a security > policy > > scope > > to include the conformance requirement that for a certain encryption > > policy > > in a web service the traces too are encrypted? If not then would it > not be > > the ideal for the scope to be increased to cover this, when such trace > > logs > > are persisted and used for ongoing monitoring in production use? > > > > As there are reasons to have traces still operating in production > > environments > > (such as monitoring, perhaps for audit reasons) it seems reasonable > that > > a security policy covering encryption of all or part of the ws message > > have a conformance requirement that the same policy be enforced in the > > trace > > for 'end-to-end' security. Maybe if there is no such requirement for > > existing > > policies then there would seem to me ample reason to have a new policy > > for which this applies. Maybe it could be of such granularity that it > can > > be > > applied to just certain parts of the message, like with signatures, > say. > > > > I previously asked / comented on W3C's WS-Policy list but was directed > > to this TC. > > > > http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html > > > > Best regards > > > > > > > > > > ------------------------------------------------------------ > > Stephen Green > > > > Senior IT Officer > > Bristol City Council > > Room G45, Romney House > > Romney Avenue > > Bristol BS7 9TB > > Tel: 0117 922 3794 > > Fax: 0117 922 4877 > > Email: stephen_green@bristol.gov.uk > > > > > > > > ______________________________________________________________________ > > 'Do it online' with our growing range of online services - > > http://www.bristol.gov.uk/services > > > > Sign-up for our email bulletin giving news, have-your-say and event > > information at: http://www.bristol.gov.uk/newsdirect > > > > Watch webcasts of Council meetings at > http://www.bristol.gov.uk/webcast > > > > -- > > This publicly archived list offers a means to provide input to the > > OASIS Web Services Secure Exchange (WS-SX) TC. > > > > In order to verify user consent to the Feedback License terms and > > to minimize spam in the list archive, subscription is required > > before posting. > > > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > > List help: ws-sx-comment-help@lists.oasis-open.org > > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > > Feedback License: > http://www.oasis-open.org/who/ipr/feedback_license.pdf > > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > > Committee: > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws- > > sx > > > -- > This publicly archived list offers a means to provide input to the > OASIS Web Services Secure Exchange (WS-SX) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org > List help: ws-sx-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws- > sx > > ______________________________________________________________________ > 'Do it online' with our growing range of online services - > http://www.bristol.gov.uk/services > > Sign-up for our email bulletin giving news, have-your-say and event > information at: http://www.bristol.gov.uk/newsdirect > > Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast > > ______________________________________________________________________ > 'Do it online' with our growing range of online services - > http://www.bristol.gov.uk/services > > Sign-up for our email bulletin giving news, have-your-say and event > information at: http://www.bristol.gov.uk/newsdirect > > Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]