Re: [Syslog] transport-tls vs. syslog-sign
"Rainer Gerhards" <rgerhards@hq.adiscon.com> Fri, 16 May 2008 15:06 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 913623A6B30; Fri, 16 May 2008 08:06:57 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D49BE28C197; Fri, 16 May 2008 08:06:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.585
X-Spam-Level:
X-Spam-Status: No, score=-2.585 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oORJLiNZRuey; Fri, 16 May 2008 08:06:53 -0700 (PDT)
Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 652743A68D2; Fri, 16 May 2008 08:06:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id C6E937AD812; Fri, 16 May 2008 17:06:36 +0200 (CEST)
Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-+GIwxe9hW2; Fri, 16 May 2008 17:06:36 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 7418E7AD491; Fri, 16 May 2008 17:06:36 +0200 (CEST)
Content-class: urn:content-classes:message
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 16 May 2008 17:06:45 +0200
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA30902C@grfint2.intern.adiscon.com>
In-Reply-To: <OFA69FA922.6593B43C-ON8525744B.004E0E56-8525744B.004F8054@agfa.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] transport-tls vs. syslog-sign
Thread-Index: Aci3Y3f480di08aZQDiECPfyxujeBAAAEeog
References: <577465F99B41C842AAFBE9ED71E70ABA309028@grfint2.intern.adiscon.com> <OFA69FA922.6593B43C-ON8525744B.004E0E56-8525744B.004F8054@agfa.com>
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: robert.horn@agfa.com
Cc: syslog@ietf.org, syslog-bounces@ietf.org
Subject: Re: [Syslog] transport-tls vs. syslog-sign
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Hi Robert, thanks again for the excellent description. My comments below... > -----Original Message----- > From: robert.horn@agfa.com [mailto:robert.horn@agfa.com] > Sent: Friday, May 16, 2008 4:28 PM > To: Rainer Gerhards > Cc: syslog@ietf.org; syslog-bounces@ietf.org > Subject: Re: [Syslog] transport-tls vs. syslog-sign > > > [Rainer] Hi all, > > > > I did a cross-check today between the two drafts. Both require > > certificates. Syslog-sign actually includes distribution policies in > > section 5. There is a huge difference between the ways certificates > are > > handled in both drafts. > > > > Implementing both will at least require duplicate/different code for > > like tasks. Same goes for the administration. I have not yet a > solution > > proposal, but I would like to make the WG aware of this fact. > > > > What are your thoughts? > > > > [RJHorn] > > To some degree you are describing the present state of implementation > for > certificate and key management. It's a mess. > > I expect that in the end this will generalize into: > > - For each different application purpose (browsing, signing, > prescribing, > logging, payments, ...) there will be stores for > - Private key information (used locally to sign, etc.) > - Trusted individual certificates (e.g., self-signed but not > restricted > to self-signed) > - Trusted signing certificates > - Anchors of Trust > > With luck there will emerge common maintenance methods, but they sure > aren't there now. For each browser I've got a different maintenance > method for trusted signers, trusted individual certificates, and > private > key information. I don't have any browsers that actually manage usig > an > anchor of trust. And that is for the single application purpose of > browsing. The browsers are all different. > > The nature and meanings of trust is dependent on the application > purpose, > so you should not have a single single store. We will always need a > way > to have different stores for different purposes. Meanwhile, we struggle > with every implementation having different maintenance methods. At > least > they agree on the PKCS format for exchanging these elements. I don't > see > syslog as the proper venue for doing more than defining use cases for > this. Longer term, I hope that a common agreement emerges on how to > name > and organize these stores so that common maintenance can be > implemented. > > For the specifics of sign vs transport, is there an application > difference > between being an authenticated sender of messages, and being an > authenticated signer of messages? I think that there is, so they do > need > to be separate stores. I haven't looked at the details of > functionality > required by sign because I haven't had any real uses yet for signing > the > messages. The differences should be reducable to using different > stores > for key and certificate information, and performing different > operations > (e.g., signing) on the messages. [Rainer] The differences I see is that between the two there are differences in what modes can be used. For example -sign -transport-tls x.509 yes yes fingerprints no yes openPgP yes no (other) yes (N/A) Also, -sign specifies how certificates are distributed (section 5.2, 5.3 among others). -transport-tls does not talk about certificate distribution. In fact, -sign focuses very much on the distribution. -sign also describes something that one could call a threat model in its security considerations (section 8). There is a strong overlap between these two. For example, -sign 8.8 is addressed in -tls 3 (confidentiality) and could be referenced as a solution. On the other hand, -tls does not spell out countermeasures found in -sign against the remaining threats. So I think it is more than just different stores. I think both drafts define the threat model, talk about authentication, and talk (or be silent) on certificate distribution. There are just a number of differences between them. As I outlined in my mail yesterday, -tls cannot really authenticate the originator. -sign can do that. -sign cannot provide confidentiality. -tls can do that. So a really secure system would need to utilize both. Then, it would at least be useful to have the same set of drafts reuse some ideas. Even the relationship between those two is not spelled out... If this inconsistency is acceptable in order to finally get things done, that's fine with me. I just wanted to make sure everybody is aware of that situation. Rainer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- [Syslog] transport-tls vs. syslog-sign Rainer Gerhards
- Re: [Syslog] transport-tls vs. syslog-sign robert.horn
- Re: [Syslog] transport-tls vs. syslog-sign Rainer Gerhards
- Re: [Syslog] transport-tls vs. syslog-sign robert.horn
- Re: [Syslog] transport-tls vs. syslog-sign tom.petch
- Re: [Syslog] transport-tls vs. syslog-sign Alexander Clemm (alex)