[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Audit trails with Credential Server
Michael,
You're right that audit is important, however, I don't see
where any of this affects interoperability, at least not
with the data you suggest auditing. If that's true, then
it doesn't belong in our specs, except perhaps if we want
to give some guidance in an area where folks are otherwise
likely to go wrong.
Stephen.
> Michael Leahy wrote:
>
> Hi
>
> "You are only as secure as your last audit trail" - Someone once said this to me (can not remember
> who) and it always sticks in my mind. So any thoughts on what information {if any} SHOULD be
> logged by the credential server. I don't really want to go down the route of notaries but I do
> beleive that some minimum information should be kept.
>
> Here's a list that comes to mind
> 1. User login ID (in whatever form the user authenticates themselves)
> 2. Time that request was made
> 3. User ip address - Since we have not decided on TCP/IP as the transport mechanism then what we
> log here will obviously change.
> 4. I would also recommend logging the request syntax (user) and server response. This way whatever
> we decide on as the authentication mechanism we would get for free in the log
>
> Again I realize that what gets logged will be implementation dependent but it is in my opinion a
> necessary function - so I beleive me should define a minimum set.
>
> Any thoughts ?
>
> Regards
> Michael
--
____________________________________________________________
Stephen Farrell
Baltimore Technologies, tel: (direct line) +353 1 647 7406
61 Fitzwilliam Lane, fax: +353 1 647 7499
Dublin 2. mailto:stephen.farrell@xxxxxxxxxxxx
Ireland http://www.baltimore.com