[Syslog] lower requirements? (Re: I-D Action:draft-ietf-syslog-transport-tls-12.txt)
Martin Schütte <lists@mschuette.name> Sat, 10 May 2008 15:54 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A55DD3A67F1; Sat, 10 May 2008 08:54:31 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC9383A67F1 for <syslog@core3.amsl.com>; Sat, 10 May 2008 08:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXXT4Fo4DxNc for <syslog@core3.amsl.com>; Sat, 10 May 2008 08:54:29 -0700 (PDT)
Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id EA8063A65A5 for <syslog@ietf.org>; Sat, 10 May 2008 08:54:25 -0700 (PDT)
Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 47F9F7D8A1 for <syslog@ietf.org>; Sat, 10 May 2008 17:33:34 +0200 (CEST)
X-Virus-Scanned: on mail at asta.uni-potsdam.de
Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id cGYYMjRbR+rD for <syslog@ietf.org>; Sat, 10 May 2008 17:33:22 +0200 (CEST)
Received: from [192.168.178.21] (BAEbf33.bae.pppool.de [77.132.191.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 9B4877D884 for <syslog@ietf.org>; Sat, 10 May 2008 17:33:21 +0200 (CEST)
Message-ID: <4825DC63.8020901@mschuette.name>
Date: Sat, 10 May 2008 17:33:23 +0000
From: Martin Schütte <lists@mschuette.name>
User-Agent: Thunderbird 2.0.0.12 (X11/20080427)
MIME-Version: 1.0
To: syslog@ietf.org
References: <20080507150001.D3CB428C65B@core3.amsl.com>
In-Reply-To: <20080507150001.D3CB428C65B@core3.amsl.com>
Subject: [Syslog] lower requirements? (Re: I-D Action:draft-ietf-syslog-transport-tls-12.txt)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
> The transport sender (TLS client) has three different options for > authenticating and authorizing the transport receiver (TLS server). I do not know if this has been discussed previously, but what is your opinion on lower requirements in order to get transport-tls supported by embedded devices, i.e. switches and printers? Scenario: I could imagine a printer (as the client) having a self-signed certificate and no ability to authenticate the server's certificate. As long as the server has a copy of the client's certificate and can verify it, a secure transport is possible. As an admin I would rather configure this one-way authentication and get a TLS-enabled device than having to fall back to UDP. Should this be an allowed scenario to be covered by tls-transport? Scenario2: Say the same printer with its self-signed cert is configurable with a CA-cert that enables it to authenticate the server (but maybe without checking the certificate's CN/dNSName/IP). That would allow a reasonably secure setup. -- Should this be an allowed scenario to be covered by tls-transport? In my opinion it should be, thus I would like to keep the requirements on authentication rules as simple as possible. -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] I-D Action:draft-ietf-syslog-transport-t… Internet-Drafts
- [Syslog] FW: I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- [Syslog] FW: FW: I-D Action:draft-ietf-syslog-tra… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… robert.horn
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Moehrke, John (GE Healthcare)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- [Syslog] lower requirements? (Re: I-D Action:draf… Martin Schütte
- [Syslog] why fingerprints? (Re: I-D Action:draft-… Martin Schütte
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] why fingerprints? (Re: I-DAction:dra… Joseph Salowey (jsalowey)
- Re: [Syslog] lower requirements? (Re: I-DAction:d… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Pasi.Eronen@nokia.com
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… tom.petch