|
Hi
"You are only as secure as your last audit trail" -
Someone once said this to me (can not remember who) and it always sticks in my
mind. So any thoughts on what information {if any} SHOULD be logged by the
credential server. I don't really want to go down the route of notaries but I do
beleive that some minimum information should be kept.
Here's a list that comes to mind
1. User login ID (in whatever form the user
authenticates themselves)
2. Time that request was made
3. User ip address - Since we have not decided on
TCP/IP as the transport mechanism then what we log here will obviously
change.
4. I would also recommend logging the request
syntax (user) and server response. This way whatever we decide on as the
authentication mechanism we would get for free in the log
Again I realize that what gets logged will be
implementation dependent but it is in my opinion a necessary function - so I
beleive me should define a minimum set.
Any thoughts ?
Regards
Michael |