OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Issue 168 FW: [ws-sx-comment] Policy to require persisted trace logencryption?

Giving this one an issue number to keep track of it, issue 168.

-----Original Message-----
From: Stephen Green [mailto:stephen.green@bristol.gov.uk]
Sent: Wednesday, April 02, 2008 6:35 AM
To: ws-sx-comment@lists.oasis-open.org
Subject: [ws-sx-comment] Policy to require persisted trace log encryption?

Greetings WS-SX TC

I've a question/comment regarding web services security policies.

I would expect, rightly or wrongly, that a there would be a policy to require
that a web server handling a web service encrypt all messages for a
particular web service in *traces*. Is this within scope for ws security policy
specifications and is it already handled? Is it part of a security policy scope
to include the conformance requirement that for a certain encryption policy
in a web service the traces too are encrypted? If not then would it not be
the ideal for the scope to be increased to cover this, when such trace logs
are persisted and used for ongoing monitoring in production use?

As there are reasons to have traces still operating in production environments
(such as monitoring, perhaps for audit reasons) it seems reasonable that
a security policy covering encryption of all or part of the ws message
have a conformance requirement that the same policy be enforced in the trace
for 'end-to-end' security. Maybe if there is no such requirement for existing
policies then there would seem to me ample reason to have a new policy
for which this applies. Maybe it could be of such granularity that it can be
applied to just certain parts of the message, like with signatures, say.

I previously asked / comented on W3C's WS-Policy list but was directed
to this TC.

http://lists.w3.org/Archives/Public/public-ws-policy/2008Apr/0000.html

Best regards




------------------------------------------------------------
Stephen Green

Senior IT Officer
Bristol City Council
Room G45, Romney House
Romney Avenue
Bristol  BS7 9TB
Tel: 0117 922 3794
Fax: 0117 922 4877
Email: stephen_green@bristol.gov.uk



______________________________________________________________________
'Do it online' with our growing range of online services - http://www.bristol.gov.uk/services

Sign-up for our email bulletin giving news, have-your-say and event information at: http://www.bristol.gov.uk/newsdirect

Watch webcasts of Council meetings at http://www.bristol.gov.uk/webcast

--
This publicly archived list offers a means to provide input to the
OASIS Web Services Secure Exchange (WS-SX) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: ws-sx-comment-subscribe@lists.oasis-open.org
Unsubscribe: ws-sx-comment-unsubscribe@lists.oasis-open.org
List help: ws-sx-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/ws-sx-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-sx

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]