OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [ws-sx-comment] Policy to require persisted trace logencryption?

It is limited by charter, but in fact all of the WS-* specs are limited
to Interoperability between Web Service Consumers and Web Services.
Internal behavior of any type is not specified by SOAP, WSDL,
WS-Addressing, WS-RM, WS-Security, etc.

Hal 

> -----Original Message-----
> From: Stephen Green [mailto:stephen.green@bristol.gov.uk]
> Sent: Wednesday, April 02, 2008 10:56 AM
> To: Hal Lockhart; ws-sx-comment@lists.oasis-open.org
> Subject: RE: [ws-sx-comment] Policy to require persisted trace
> logencryption?
> 
> Thanks Hal - very quick response.
> 
> Is there much chance of the scope being increased or
> is it limited by charter? I would think this would put off
> many from using web services if they cannot ensure
> encryption of the message in a trace as well as on the
> wire. I'd compare it with what seems to be a better
> scope for security in the ebXML stack, such as ebBP
> where there is scope to cover how the message is
> treated *after* it is received. Is there some reason
> this kind of thing cannot be applied to other web
> services too?
> 
> 
> ------------------------------------------------------------
> Stephen Green
> 
> Senior IT Officer
> Bristol City Council
> Room G45, Romney House
> Romney Avenue
> Bristol  BS7 9TB
> Tel: 0117 922 3794
> Fax: 0117 922 4877
> Email: stephen_green@bristol.gov.uk
> 
> 
> 
> >>> "Hal Lockhart" <hlockhar@bea.com> 02/04/08 15:33 >>>
> At the current time, the scope of WS-SecurityPolicy (and in fact the
> entire family of WS-Security specifications) is the security
mechanisms
> applied to messages passing between a Web Service Consumer and a Web
> Service. Thus the treatment of log, audit or trace files or their very
> existence is out of scope as are other issues such as the
Authorization
> technology used, how stored application data is protected and which
> Token issuers are trusted.
> 
> Hal
> 
> > -----Original Message-----
> > From: Stephen Green [mailto:stephen.green@bristol.gov.uk]
> > Sent: Wednesday, April 02, 2008 9:35 AM
> > To: ws-sx-comment@lists.oasis-open.org
> > Subject: [ws-sx-comment] Policy to require persisted trace log
> encryption?
> >
> > Greetings WS-SX TC
> >
> > I've a question/comment regarding web services security policies.
> >
> > I would expect, rightly or wrongly, that a there would be a policy
to
> > require
> > that a web server handling a web service encrypt all messages for a
> > particular web service in *traces*. Is this within scope for ws
> security
> > policy
> > specifications and is it already handled? Is it part of a security
> policy
> > scope
> > to include the conformance requirement that for a certain encryption
> > policy
> > in a web service the traces too are encrypted? If not then would it
> not be
> > the ideal for the scope to be increased to cover this, when such
trace
> > logs
> > are persisted and used for ongoing monitoring in production use?
> >
> > As there are reasons to have traces still operating in production
> > environments
> > (such as monitoring, perhaps for audit reasons) it seems reasonable
> that
> > a security policy covering encryption of all or part of the ws
message
> > have a conformance requirement that the same policy be enforced in
the
> > trace
> > for 'end-to-end' security. Maybe if there is no such requirement for
> > existing
> > policies then there would seem to me ample reason to have a new
policy
> > for which this applies. Maybe it could be of such granularity that
it
> can
> > be
> > applied to just certain parts of the message, like with signatures,
> say.
> >
> > I previously asked / comented on W3C's WS-Policy list but was
directed
> > to this TC.
> >
> >
http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html
> >
> > Best regards
> >
> >
> >
> >
> > ------------------------------------------------------------
> > Stephen Green
> >
> > Senior IT Officer
> > Bristol City Council
> > Room G45, Romney House
> > Romney Avenue
> > Bristol  BS7 9TB
> > Tel: 0117 922 3794
> > Fax: 0117 922 4877
> > Email: stephen_green@bristol.gov.uk
> >
> >
> >
> >
______________________________________________________________________
> > 'Do it online' with our growing range of online services -
> > http://www.bristol.gov.uk/services
> >
> > Sign-up for our email bulletin giving news, have-your-say and event
> > information at: http://www.bristol.gov.uk/newsdirect
> >
> > Watch webcasts of Council meetings at
> http://www.bristol.gov.uk/webcast
> >
> > --
> > This publicly archived list offers a means to provide input to the
> > OASIS Web Services Secure Exchange (WS-SX) TC.
> >
> > In order to verify user consent to the Feedback License terms and
> > to minimize spam in the list archive, subscription is required
> > before posting.
> >
> > Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> > Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> > List help: ws-sx-comment-help@lists.oasis-open.org
> > List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> > Feedback License:
> http://www.oasis-open.org/who/ipr/feedback_license.pdf
> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> > Committee:
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-
> > sx
> 
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS Web Services Secure Exchange (WS-SX) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
> Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
> List help: ws-sx-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
> Feedback License:
http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-
> sx
> 
> ______________________________________________________________________
> 'Do it online' with our growing range of online services -
> http://www.bristol.gov.uk/services
> 
> Sign-up for our email bulletin giving news, have-your-say and event
> information at: http://www.bristol.gov.uk/newsdirect
> 
> Watch webcasts of Council meetings at
http://www.bristol.gov.uk/webcast
> 
> ______________________________________________________________________
> 'Do it online' with our growing range of online services -
> http://www.bristol.gov.uk/services
> 
> Sign-up for our email bulletin giving news, have-your-say and event
> information at: http://www.bristol.gov.uk/newsdirect
> 
> Watch webcasts of Council meetings at
http://www.bristol.gov.uk/webcast

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]