[Syslog] -transport-tls-12, section 4.2.3 (fingerprint format)
Rainer Gerhards <rgerhards@hq.adiscon.com> Thu, 08 May 2008 15:46 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31E5F28C913; Thu, 8 May 2008 08:46:20 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5F2C28C96C for <syslog@core3.amsl.com>; Thu, 8 May 2008 08:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayklO5Krno9n for <syslog@core3.amsl.com>; Thu, 8 May 2008 08:46:12 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 8627928CA12 for <syslog@ietf.org>; Thu, 8 May 2008 06:29:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 629527AE65D for <syslog@ietf.org>; Thu, 8 May 2008 15:27:57 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENt47VQJbq5k for <syslog@ietf.org>; Thu, 8 May 2008 15:27:57 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 2A15A7AE1C3 for <syslog@ietf.org>; Thu, 8 May 2008 15:27:57 +0200 (CEST)
Received: from [172.19.2.12] ([172.19.2.12]) by grfint2.intern.adiscon.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 8 May 2008 15:29:51 +0200
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: syslog@ietf.org
Organization: Adiscon
Date: Thu, 08 May 2008 15:30:26 +0200
Message-Id: <1210253426.22738.503.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-1.fc8)
X-OriginalArrivalTime: 08 May 2008 13:29:51.0988 (UTC) FILETIME=[986BB340:01C8B10F]
Subject: [Syslog] -transport-tls-12, section 4.2.3 (fingerprint format)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi, yet another question on the fingerprints. My context is that I am thinking what I need to compare in order to authorize via fingerprints. Text in question is: === The RECOMMENDED mechanism to generate a fingerprint is to take the SHA-1 hash of the certificate and convert the 20 byte result into 20 colon separated, hexadecimal bytes, each represented by 2 uppercase ASCII characters. When a fingerprint value is displayed or configured the algorithm used to generate the fingerprint SHOULD be indicated. === What is "the algorithm used to generate..."? Is it SHA1 et al, thus the hash algorithm used? Or is it actually the algorithm that was used the generate the fingerprint. If it is the former, it sounds like I should compare the hash values and not actually the fingerprints. So 55:D8:43:57:39:6C:23:0F:86:B1:EB:93:1E:F3:09:DE:7B:8B:62:70 55-D8-43-57-39-6C-23-0F-86-B1-EB-93-1E-F3-09-DE-7B-8B-62-70 are identical (it is just RECOMMENDED to use colons). However, this assumes that the fingerprint is always a hash. In this case, I think it would be preferable to talk directly about the hash values. If the fingerprint is not necessarily a hash, I need to compare the actual fingerprint, the ASCII representation. Then, the two strings above would be different. That could cause interop problems. I propose that we strictly define fingerprints to be arbitrarily long printable USASCII. If the fingerprint contains unprintable data, the whole string must be encoded as a set of octets represented by 2 USASCII hex characters delimited by colons - or we may specify this format for all cases. This does not tie us to hashes but prevents interoperability problems due to different formats. Rainer I _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards