Re: [Syslog] Self-signed certs - was: Re: -transport-tls-12, section 4.2.3 (fingerprints)
"Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com> Mon, 12 May 2008 09:38 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F963A6785; Mon, 12 May 2008 02:38:40 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9911C3A6785 for <syslog@core3.amsl.com>; Mon, 12 May 2008 02:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.82
X-Spam-Level:
X-Spam-Status: No, score=-3.82 tagged_above=-999 required=5 tests=[AWL=-1.821, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iygKhbpgxZD5 for <syslog@core3.amsl.com>; Mon, 12 May 2008 02:38:36 -0700 (PDT)
Received: from mgw-fb01.nokia.com (mgw-fb01.nokia.com [192.100.122.235]) by core3.amsl.com (Postfix) with ESMTP id 312303A6782 for <syslog@ietf.org>; Mon, 12 May 2008 02:38:36 -0700 (PDT)
Received: from mgw-mx09.nokia.com ([192.100.105.134]) by mgw-fb01.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4C7Cmd3025022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <syslog@ietf.org>; Mon, 12 May 2008 10:16:02 +0300
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4C7C7Lc022915; Mon, 12 May 2008 02:12:38 -0500
Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 12 May 2008 10:12:36 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 12 May 2008 10:12:36 +0300
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 12 May 2008 10:12:35 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB7297B110@vaebe104.NOE.Nokia.com>
In-Reply-To: <Pine.GSO.4.63.0805090536470.10011@sjc-cde-011.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Self-signed certs - was: Re: -transport-tls-12, section 4.2.3 (fingerprints)
Thread-index: Acix3XszHfw9sQFKQ+SREuAvKpjgPgCIQ3sQ
References: <577465F99B41C842AAFBE9ED71E70ABA308FA8@grfint2.intern.adiscon.com><AC1CFD94F59A264488DC2BEC3E890DE505C94F0F@xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA308FAA@grfint2.intern.adiscon.com> <Pine.GSO.4.63.0805090536470.10011@sjc-cde-011.cisco.com>
From: "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>
To: clonvick@cisco.com, rgerhards@hq.adiscon.com
X-OriginalArrivalTime: 12 May 2008 07:12:36.0562 (UTC) FILETIME=[8E4ECB20:01C8B3FF]
X-Nokia-AV: Clean
Cc: syslog@ietf.org
Subject: Re: [Syslog] Self-signed certs - was: Re: -transport-tls-12, section 4.2.3 (fingerprints)
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi, I think the real difference here is not "CA-issued certs" vs. "self-signed certs", but "accepting any cert" vs. "accepting certs you can verify (as trusted peers according to your local policy)". We definitely want to discourage blindly accepting any certificate (CA-issued or self-signed); but when properly verified, self-signed certificates are not any less secure than CA-issued ones. Best regards, Pasi > -----Original Message----- > From: Chris Lonvick > Sent: 09 May, 2008 16:20 > To: Rainer Gerhards > Cc: syslog@ietf.org > Subject: [Syslog] Self-signed certs - was: Re: > -transport-tls-12, section 4.2.3 (fingerprints) > > Hi, > > On Thu, 8 May 2008, Rainer Gerhards wrote: > <some elided for brevity> > > However, I wonder why it would be useful to auto-generate certs. > > Probably I am overlooking somehting obvious. But: isn't cert > > auto-generation equal to no authentication? After all, if a > > *self-signed* cert is generated by the remote peer AND we accept > > it, doesn't that essentially mean we accept any peer because the > > peer can put whatever it likes into the cert? I do not see why > > this is any better than having no cert at all... > > It minimally protects against masquerade and disclosure, two of the > threats we agreed upon. It will also provide a TCP-based transport > for anyone who wishes/needs to have a mechanism to throttle the flow > of packets for congestion control - something that you cannot do > with the UDP transport. > > Those are the reasons I can think of. You do raise a good point by > questioning this and I'd like to see some discussion from the WG. > Are these reasons sufficient to keep self-signed certs in the > specification? If so, should specific comments be made about their > use? > > WG Chair Hat sort'a on, sort'a off: I'm thinking that a self-signed > cert is the method of least effort to provide congestion control for > syslog and it should be included in the document just for that > reason. This was the objection raised by the Transport ADs when > they saw that syslog-transport-udp was the only REQUIRED transport. > I agree that self-signed certs don't really provide good protection > and that should be noted in the Security Considerations Section. If > you don't agree with this, please object now. > > If you do agree with this, does the following text work: > === > (Perhaps as a third paragraph in Section 4.2.4) > > Self-signed certificates will provide minimal protection against > modification and disclosure. Their use will not provide effective > protection against masqeurade unless they are used with certificate > fingerprint authorization lists. The use of self-signed > certificates without certificate fingerprint authorization lists is > NOT RECOMMENDED. However since tls is a tcp-based protocol, > enabling tls, even with self-signed certificates, will effectively > enable congestion control in the network. See Section 8.6 of > [syslog-protocol]. > > And perhaps merge the first three sentences of the above with > the second paragraph in Sec Considerations section 5.1. Current: > The use of self-signed certificates with certificate fingerprint > authorization lists provides more protection from > masquerade and man-in-the-middle attacks than forgoing certificate > validation and authorization. > === > > Thanks, > Chris _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] -transport-tls-12, section 4.2.3 (finger… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Self-signed certs - was: Re: -transport-… Chris Lonvick
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Joseph Salowey (jsalowey)
- Re: [Syslog] -transport-tls-12, section 4.2.3 (fi… Rainer Gerhards
- [Syslog] Missing email? was: Re: -transport-tls-1… Chris Lonvick
- [Syslog] -transport-tls-12, section 4.2 suggestion robert.horn
- Re: [Syslog] Missing email? was: Re: -transport-t… Rainer Gerhards
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… Joseph Salowey (jsalowey)
- Re: [Syslog] Self-signed certs - was: Re: -transp… Pasi.Eronen@nokia.com
- Re: [Syslog] -transport-tls-12, section 4.2 sugge… robert.horn