[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Audit trails with Credential Server

To: <ietf-sacred@xxxxxxx>
Subject: Re: Audit trails with Credential Server
From: "Michael Leahy" <Michael.Leahy@xxxxxx>
Date: Tue, 26 Sep 2000 12:09:08 +0100
List-archive: <http://www.imc.org/ietf-sacred/mail-archive/>
List-id: <ietf-sacred.imc.org>
List-unsubscribe: <mailto:ietf-sacred-request@imc.org?body=unsubscribe>
Organization: Critical Path
References: <> <>
Reply-to: "Michael Leahy" <Michael.Leahy@xxxxxx>
Sender: owner-ietf-sacred@xxxxxxxxxxxx

Hi Stephen

true, it does not affect interoperability. So just defining a minimum set of attributes {or data blocks} that should be logged would suffice and any gotcha's that might be associated with these. 

Regards
Michael
----- Original Message ----- 
From: Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>
To: Michael Leahy <Michael.Leahy@xxxxxx>
Cc: <ietf-sacred@xxxxxxx>
Sent: Tuesday, September 26, 2000 11:30 AM
Subject: Re: Audit trails with Credential Server


> 
> Michael,
> 
> You're right that audit is important, however, I don't see 
> where any of this affects interoperability, at least not 
> with the data you suggest auditing. If that's true, then 
> it doesn't belong in our specs, except perhaps if we want
> to give some guidance in an area where folks are otherwise
> likely to go wrong.
> 
> Stephen.
> 
> > Michael Leahy wrote:
> > 
> > Hi
> > 
> > "You are only as secure as your last audit trail" - Someone once said this to me (can not remember
> > who) and it always sticks in my mind. So any thoughts on what information {if any} SHOULD be
> > logged by the credential server. I don't really want to go down the route of notaries but I do
> > beleive that some minimum information should be kept.
> > 
> > Here's a list that comes to mind
> > 1. User login ID (in whatever form the user authenticates themselves)
> > 2. Time that request was made
> > 3. User ip address - Since we have not decided on TCP/IP as the transport mechanism then what we
> > log here will obviously change.
> > 4. I would also recommend logging the request syntax (user) and server response. This way whatever
> > we decide on as the authentication mechanism we would get for free in the log
> > 
> > Again I realize that what gets logged will be implementation dependent but it is in my opinion a
> > necessary function - so I beleive me should define a minimum set.
> > 
> > Any thoughts ?
> > 
> > Regards
> > Michael
> 
> -- 
> ____________________________________________________________
> Stephen Farrell            
> Baltimore Technologies,   tel: (direct line) +353 1 647 7406
> 61 Fitzwilliam Lane,                    fax: +353 1 647 7499
> Dublin 2.                mailto:stephen.farrell@xxxxxxxxxxxx
> Ireland                             http://www.baltimore.com

References:
- Audit trails with Credential Server
  - From: Michael Leahy
- Re: Audit trails with Credential Server
  - From: Stephen Farrell

Prev by Date: Re: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]
Next by Date: RE: [Fwd: new draft (draft-arsenault-sacred-reqs-00.txt)]
Previous by thread: Re: Audit trails with Credential Server
Next by thread: RE: Audit trails with Credential Server
Index(es):
- Date
- Thread