RE: Non-Repudiation - A Lower Level? from Steven A. Monetti on 2002-05-21 (www-ws-arch@w3.org from May 2002)

From: Steven A. Monetti <smonetti@att.com>
Date: Tue, 21 May 2002 11:42:48 -0400
To: "Champion, Mike" <Mike.Champion@SoftwareAG-USA.com>, <www-ws-arch@w3.org>
Message-ID: <NBBBIACMNCFAAANGHKBGAEBNAFAB.smonetti@att.com>

MessageI think that the web services architecture should specify the
security architectural
components necessary to provide the following auditing functions (as defined
in RFC2828):

   $ audit service
      (I) A security service that records information needed to
      establish accountability for system events and for the actions of
      system entities that cause them. (See: security audit.)

   $ security audit
      (I) An independent review and examination of a system's records
      and activities to determine the adequacy of system controls,
      ensure compliance with established security policy and procedures,
      detect breaches in security services, and recommend any changes
      that are indicated for countermeasures. [I7498 Part 2, NCS01]

      (C) The basic audit objective is to establish accountability for
      system entities that initiate or participate in security-relevant
      events and actions. Thus, means are needed to generate and record
      a security audit trail and to review and analyze the audit trail
      to discover and investigate attacks and security compromises.

   $ security audit trail
      (I) A chronological record of system activities that is sufficient
      to enable the reconstruction and examination of the sequence of
      environments and activities surrounding or leading to an
      operation, procedure, or event in a security-relevant transaction
      from inception to final results. [NCS04] (See: security audit.)

steve
  -----Original Message-----
  From: www-ws-arch-request@w3.org [mailto:www-ws-arch-request@w3.org]On
Behalf Of Champion, Mike
  Sent: Monday, May 20, 2002 7:23 PM
  To: www-ws-arch@w3.org
  Subject: RE: Non-Repudiation - A Lower Level?



    -----Original Message-----
    From: Cutler, Roger (RogerCutler) [mailto:RogerCutler@chevrontexaco.com]
    Sent: Monday, May 20, 2002 6:16 PM
    To: 'Champion, Mike'; www-ws-arch@w3.org
    Subject: RE: Non-Repudiation - A Lower Level?


    If there is a need for web services standards for non-repudiation (in
the looser sense in which I am using the term) or auditing (perhaps in a
stricter sense than the term is often used?) so that such applications can
interoperate, then shouldn't that be part of the web services architecture
we define?
  As I see it, there is a strong requirement that the web services
architecture define the pieces that would implement "non repudiation" in the
weak sense that there is an audit trail that either an application or some
humans can use to resolve issues such as "you didn't pay" "yes we did."  I
was objecting to getting down to the details, e.g. "Below a certain dollar
amount of transaction, there is no need for third party overview for
non-repudiation."  I see that as the job of some vertical industry standards
group, or maybe some business process standards such as ebXML, but not the
web services infrastructure.

  I have no STRONG objections if others want to put this sort of thing in
our requirements, but I fear that we will be bogged down in details and
never produce anything if we require ourselves to define everything.

Received on Tuesday, 21 May 2002 11:41:48 UTC