Re: [Syslog] -transport-tls-12, section 4.2.3 (fingerprint format)
"Rainer Gerhards" <rgerhards@hq.adiscon.com> Thu, 08 May 2008 20:03 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6425128C1E9; Thu, 8 May 2008 13:03:13 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CD1F3A6DCE for <syslog@core3.amsl.com>; Thu, 8 May 2008 13:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NeMf-kj8988K for <syslog@core3.amsl.com>; Thu, 8 May 2008 13:02:17 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id DAD3C28C135 for <syslog@ietf.org>; Thu, 8 May 2008 13:00:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 6B82A7AE1D7; Thu, 8 May 2008 21:57:51 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mGcZBEnxWqm9; Thu, 8 May 2008 21:57:51 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 184E37AE1C3; Thu, 8 May 2008 21:57:51 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 08 May 2008 22:00:42 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA308FA9@grfint2.intern.adiscon.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE505C94F0A@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: -transport-tls-12, section 4.2.3 (fingerprint format)
Thread-Index: AcixD5iBwSKonBf5Rq6vfAE/ROPRgAACXwjQAABA0PAACrkK8A==
References: <577465F99B41C842AAFBE9ED71E70ABA308FA6@grfint2.intern.adiscon.com> <AC1CFD94F59A264488DC2BEC3E890DE505C94F0A@xmb-sjc-225.amer.cisco.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
Cc: syslog@ietf.org
Subject: Re: [Syslog] -transport-tls-12, section 4.2.3 (fingerprint format)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi Joe, Back via the list, the list processor seems to have been recovered. Thanks for your speedy reply. > -----Original Message----- > From: Joseph Salowey (jsalowey) [mailto:jsalowey@cisco.com] > Sent: Thursday, May 08, 2008 4:58 PM > To: Rainer Gerhards > Subject: RE: -transport-tls-12, section 4.2.3 (fingerprint format) > > Hi Rainer, > > Comments below: > > > -----Original Message----- > > From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com] > > Sent: Thursday, May 08, 2008 7:39 AM > > To: Joseph Salowey (jsalowey) > > Subject: FW: -transport-tls-12, section 4.2.3 (fingerprint format) > > > > Hi Joe, > > > > it looks like there is a problem with the IETF list server. > > This and another message did not (yet?) go through. If you've > > got a minute, I would appreciate your thoughts (as I am in > > the middle of the implementation). I'll forward the other one, too. > > > > Thanks, > > Rainer > > > > > > > -----Original Message----- > > > From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com] > > > Sent: Thursday, May 08, 2008 3:30 PM > > > To: syslog@ietf.org > > > Subject: -transport-tls-12, section 4.2.3 (fingerprint format) > > > > > > Hi, > > > > > > yet another question on the fingerprints. My context is that I am > > > thinking what I need to compare in order to authorize via > > fingerprints. > > > > > > Text in question is: > > > > > > === > > > The RECOMMENDED mechanism to generate a fingerprint is to take the > > > SHA-1 hash of the certificate and convert the 20 byte > > result into 20 > > > colon separated, hexadecimal bytes, each represented by 2 > uppercase > > > ASCII characters. When a fingerprint value is displayed or > > configured > > > the algorithm used to generate the fingerprint SHOULD be > indicated. > > > === > > > > > > What is "the algorithm used to generate..."? Is it SHA1 > et al, thus > > > the hash algorithm used? Or is it actually the algorithm > > that was used > > > the generate the fingerprint. > > > > [Joe] the algorithm is SHA1 which is the algorithm used to > generate the > fingerprint (I'm not sure I answered your question). [Rainer] Yes, you answered it, and it is what I expected. I think it may be useful that the hash algorithm is identified and not the algorithm to generate the display text. But that's only an issue if there are multiple ways to encode the display text. > > > > If it is the former, it sounds like I should compare the > > hash values > > > and not actually the fingerprints. So > > > > > > 55:D8:43:57:39:6C:23:0F:86:B1:EB:93:1E:F3:09:DE:7B:8B:62:70 > > > 55-D8-43-57-39-6C-23-0F-86-B1-EB-93-1E-F3-09-DE-7B-8B-62-70 > > > > > > are identical (it is just RECOMMENDED to use colons). > However, this > > > assumes that the fingerprint is always a hash. In this > case, I think > > it > > > would be preferable to talk directly about the hash values. > > > > [Joe] Yes, exactly. I specified the format to be compatible > with common > tools such as openssl and browsers. If another format is better than > that is OK. [Rainer] I think that format is very well. I'd just prefer to have a MUST instead of a RECOMMENDED because I think it isn't useful to allow multiple encodings here and it can cause interop problems. > > > > If the fingerprint is not necessarily a hash, I need to > compare the > > > actual fingerprint, the ASCII representation. Then, the > two strings > > > above would be different. That could cause interop problems. > > > > > > I propose that we strictly define fingerprints to be > > arbitrarily long > > > printable USASCII. If the fingerprint contains unprintable > > data, the > > > whole string must be encoded as a set of octets represented by 2 > > > USASCII hex characters delimited by colons - or we may > specify this > > > format for all cases. This does not tie us to hashes but prevents > > interoperability > > > problems due to different formats. > > > > [Joe] I think I agree with you. The fingerprint should be > general and I > think it should have a consistent format. It is also important to > realize the fingerprint is meaningless unless you know what > has was used > to generate it, so this information needs to be communicated with the > fingerprint. [Rainer] I agree - but that's also the reason why I think we should not permit different was for formatting the fingerprint. Rainer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards