IETF Logo Mail Archive

Re: [Syslog] Document shepherd report of AD concerns

robert.horn@agfa.com Fri, 16 May 2008 16:57 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 855C93A680C; Fri, 16 May 2008 09:57:57 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95FC63A680C; Fri, 16 May 2008 09:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRndrDI2EVnf; Fri, 16 May 2008 09:57:55 -0700 (PDT)
Received: from mornm01-out.agfa.com (mornm01-out.agfa.com [134.54.1.75]) by core3.amsl.com (Postfix) with ESMTP id 9C5EA3A67A1; Fri, 16 May 2008 09:57:53 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.27,498,1204498800"; d="scan'208";a="45718421"
Received: from morswa037.agfa.be (HELO morswa037.be.local) ([10.232.220.21]) by mornm01-out.agfa.com with ESMTP; 16 May 2008 18:57:46 +0200
In-Reply-To: <030101c8b762$75f61a40$0601a8c0@allison>
To: "tom.petch" <cfinss@dial.pipex.com>
MIME-Version: 1.0
Message-ID: <OF52AAC207.4C0FE54D-ON8525744B.005AA24A-8525744B.005D28CC@agfa.com>
From: robert.horn@agfa.com
Date: Fri, 16 May 2008 12:57:31 -0400
Cc: syslog <syslog@ietf.org>, syslog-bounces@ietf.org
Subject: Re: [Syslog] Document shepherd report of AD concerns
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

>[tom.petch]
> <rant>
> Fundamentally, someone else should be doing this, a policies in 
> security working
> group, perhaps a spinoff from pkix or tls (which I know ekr will reject 
out of
> hand:-).  We are the wrong people, IMO, to be proposing resolutions to 
such
> questions; it should be being done for us by those whose primary role is
> security, not network management.
> </rant>
>

I wasn't part of that group, but I am part of the policy world.  It makes 
sense for the syslog group to jointly with some policy people propose that 
"this is a reasonable risk analysis for the use cases that drive our 
protocol".  The purpose of this risk analysis is the derivation of the 
underlying protocol requirements.  But then, it is just the protocol 
requirements that remain normative.  The risk analysis lives on for 
reviewers, so that they have context, and for future users so that they 
can assess whether their real world implementation risks are significantly 
different.  If the real world is different, it just means that you need to 
re-assess whether syslog-tls will meet your needs, will need some extra 
mitigations, or whatever.  This keeps the policy and risk assessment 
portion non-normative.  So when I review something like this for policy I 
want to see the analysis, but not see it become normative.

Real normative policy work does not belong in SDOs at all.  It belongs in 
legislatures, regulatory groups, and business management.  I've seen far 
too many efforts (past and present) where people attempt to use SDOs to 
bypass the public political process.  They think that making it standard 
lets them bypass the ugly and difficult problems of dealing with the 
parliamentary process.  It doesn't work.  It just means that the standards 
become inconsistent with laws and regulations.  That means that 
implementations become inconsistent.  The SDO policy thought needs to 
reflect instead the consideration "what are the range of potential 
policies that will apply" and make sure that the protocol is able to 
support the bulk of those policies.  The extra from the IESG seems to be 
that there be some reasonable baseline policy that is a reasonable subset 
of the bulk of the policies, and mandate that at least that much be 
supported.

That's where I end up with the basic notion of having the various 
certificate stores, some sort of certificate store management, and 
protocol enforcement of certificate verification.  That leaves a baseline 
mandatory policy assumption that there will be bidirectional certificate 
verification within the protocol.  All the rest of policy becomes the 
rules around certificate stores and store management.  Those don't belong 
in syslog standard beyond the requirement that they exist somehow.  Yes, I 
wish there were more agreement on the policies and the resulting needs for 
stores and store management.  I can see syslog contributing it's use cases 
and examples to those needs.  I don't see it incorporating them into the 
standard, or being the right group to define them.

I would not divorce the policy work completely.  Most of the security 
policy work in SDOs has been dealing with human identity management for 
various authentication and authorization purposes.  That is a very 
different application than syslog.  Those use cases do not map well onto 
the automated machine logging application.

R Horn
_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email