Re: [Syslog] lower requirements? (Re: I-DAction:draft-ietf-syslog-transport-tls-12.txt)
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Mon, 12 May 2008 04:10 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E3DA23A6B56; Sun, 11 May 2008 21:10:51 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E5BD3A6B56 for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.336
X-Spam-Level:
X-Spam-Status: No, score=-6.336 tagged_above=-999 required=5 tests=[AWL=-0.037, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfAga69IfeDH for <syslog@core3.amsl.com>; Sun, 11 May 2008 21:10:49 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 4C6773A63CB for <syslog@ietf.org>; Sun, 11 May 2008 21:10:49 -0700 (PDT)
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 11 May 2008 21:10:46 -0700
Received: from sj-core-3.cisco.com (sj-core-3.cisco.com [171.68.223.137]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m4C4AkqP021999; Sun, 11 May 2008 21:10:46 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-3.cisco.com (8.13.8/8.13.8) with ESMTP id m4C4Ak8F009132; Mon, 12 May 2008 04:10:46 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 11 May 2008 21:09:37 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sun, 11 May 2008 21:10:27 -0700
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE505C95871@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <4825DC63.8020901@mschuette.name>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] lower requirements? (Re: I-DAction:draft-ietf-syslog-transport-tls-12.txt)
Thread-Index: Aciytimmzt8draTQRgGZgwtzc9JnCgBLY2pg
References: <20080507150001.D3CB428C65B@core3.amsl.com> <4825DC63.8020901@mschuette.name>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Martin Schütte <lists@mschuette.name>, syslog@ietf.org
X-OriginalArrivalTime: 12 May 2008 04:09:37.0807 (UTC) FILETIME=[FE75B9F0:01C8B3E5]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2574; t=1210565446; x=1211429446; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20(jsalowey)=22=20<jsalowey@ci sco.com> |Subject:=20RE=3A=20[Syslog]=20lower=20requirements?=20(Re= 3A=20I-DAction=3Adraft-ietf-syslog-transport-tls-12.txt) |Sender:=20; bh=rCfMTdlBvzaf7LH7miDevQA7VXXMKre8p8CidvOxmco=; b=OugI51SrT8Vw5lHONw98tB34JTiuEfJKQ1kokLcCl0hsKsbUou7KvuhPe6 QwGLbXSlf92C3l1Kqsf9BbDpPMNfV3C/Y4bc76nz1P/bKlKQTIgk4IOcA8K1 LKf8cFFlkX;
Authentication-Results: sj-dkim-2; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Subject: Re: [Syslog] lower requirements? (Re: I-DAction:draft-ietf-syslog-transport-tls-12.txt)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
> -----Original Message----- > From: syslog-bounces@ietf.org > [mailto:syslog-bounces@ietf.org] On Behalf Of Martin Schütte > Sent: Saturday, May 10, 2008 10:33 AM > To: syslog@ietf.org > Subject: [Syslog] lower requirements? (Re: > I-DAction:draft-ietf-syslog-transport-tls-12.txt) > > > The transport sender (TLS client) has three different options for > > authenticating and authorizing the transport receiver > (TLS server). > > I do not know if this has been discussed previously, but what > is your opinion on lower requirements in order to get > transport-tls supported by embedded devices, i.e. switches > and printers? > [Joe] TLS is deployed to mitigate certain threats such as those described in the document. If you fail to mitigate these threats then the value of deploying TLS is diminished. > Scenario: > I could imagine a printer (as the client) having a > self-signed certificate and no ability to authenticate the > server's certificate. > As long as the server has a copy of the client's certificate > and can verify it, a secure transport is possible. As an > admin I would rather configure this one-way authentication > and get a TLS-enabled device than having to fall back to UDP. > Should this be an allowed scenario to be covered by tls-transport? > [Joe] The scenario above does not mitigate server masquerade. I'm not sure this would be generally acceptable. However, I realize there are systems that work much in this way today. > Scenario2: > Say the same printer with its self-signed cert is > configurable with a CA-cert that enables it to authenticate > the server (but maybe without checking the certificate's > CN/dNSName/IP). > That would allow a reasonably secure setup. -- Should this be > an allowed scenario to be covered by tls-transport? > In my opinion it should be, thus I would like to keep the > requirements on authentication rules as simple as possible. > [Joe] This seems like a workable scenario to me in some environments. This would require the CA to issue certificates only to authorized parties. Perhaps the argument can be made to for the configuration of a root as a MUST and the specific types of subject Name checks as RECOMMENDED with the appropriate security considerations discussion. > -- > Martin > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] I-D Action:draft-ietf-syslog-transport-t… Internet-Drafts
- [Syslog] FW: I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- [Syslog] FW: FW: I-D Action:draft-ietf-syslog-tra… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… robert.horn
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Moehrke, John (GE Healthcare)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… David Harrington
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- [Syslog] lower requirements? (Re: I-D Action:draf… Martin Schütte
- [Syslog] why fingerprints? (Re: I-D Action:draft-… Martin Schütte
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] why fingerprints? (Re: I-DAction:dra… Joseph Salowey (jsalowey)
- Re: [Syslog] lower requirements? (Re: I-DAction:d… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Pasi.Eronen@nokia.com
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Joseph Salowey (jsalowey)
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… Rainer Gerhards
- Re: [Syslog] I-D Action:draft-ietf-syslog-transpo… tom.petch