This section addresses Req. D1.2-2.22-GovtAccess.
In the TAS3 architecture the audit trail is collected and stored locally primarily at the system entities, such as SPs, IdPs, the IM, and the like or near them in the organizations that operate these entities. Everyone that collects a log is bound by a Governance Agreement so that responsible behaviour can be enforced when technical solutions fall short in some area of protection.
The log events originate in various components at various times, see Annex 8 "Enumeration of Audit Events" for an idea of the types of events that will be generated. For example, Web Services Stack component will check signatures on the tokens (assertions) that are presented and log both positive and negative outcomes.
The system entities that collect the audit trail or the centralized audit function of the organization report the events in summary form, essentially just pointers to the actual audit records, to the Audit Event Bus. Each component may keep its local log in its own format (in future we may provide standard format), but the summary logging to the Audit Event Bus will follow TAS3 standard format (this format will be presented in a future version of this architecture). To facilitate standard format summary logging, TAS3 may provide a reusable software library.
The Audit Event Bus is divided in channels to which different events are broadcast. This allows minimal exposure as subscriptions can be on the basis of only relevant events. The subscriptions can also be controlled such that only authorized parties with "need to know" can see certain types of events (see req IX above).
The Audit Event Bus is potentially implemented as part of a more generic Event Bus infrastructure, but due to special privacy and security requirements, Audit Events MUST NOT be mixed with other business messages, unless in encrypted form. If the generic event bus supports an encrypted private channel, a VPN if you like, then sharing of the infrastructure may be possible.
The Audit Bus infrastructure MUST be free of conflicts of interest. In particular, it should not be operated by one of the SPs. In case the Event Bus sharing is implemented, then the operator of the shared infrastructure MUST be free of conflict of interest as well.