IETF Logo Mail Archive

Re: [Syslog] Some revised text for syslog TLS

"tom.petch" <cfinss@dial.pipex.com> Thu, 29 May 2008 12:18 UTC

Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD9BE28C274; Thu, 29 May 2008 05:18:10 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0427D28C275 for <syslog@core3.amsl.com>; Thu, 29 May 2008 05:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.045
X-Spam-Level:
X-Spam-Status: No, score=0.045 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DATE_IN_PAST_03_06=0.044]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id akj3HcYciFZy for <syslog@core3.amsl.com>; Thu, 29 May 2008 05:18:08 -0700 (PDT)
Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by core3.amsl.com (Postfix) with ESMTP id 0263F28C190 for <syslog@ietf.org>; Thu, 29 May 2008 05:18:07 -0700 (PDT)
X-Trace: 122181302/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$ACCEPTED/pipex-customers/62.188.122.241
X-SBRS: None
X-RemoteIP: 62.188.122.241
X-IP-MAIL-FROM: cfinss@dial.pipex.com
X-IP-BHB: Once
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFAIM1Pkg+vHrx/2dsb2JhbABBiyyjZAM
X-IronPort-AV: E=Sophos;i="4.27,561,1204502400"; d="scan'208";a="122181302"
X-IP-Direction: IN
Received: from 1cust241.tnt30.lnd3.gbr.da.uu.net (HELO allison) ([62.188.122.241]) by smtp.pipex.tiscali.co.uk with SMTP; 29 May 2008 12:53:29 +0100
Message-ID: <000d01c8c179$92441c80$0601a8c0@allison>
From: "tom.petch" <cfinss@dial.pipex.com>
To: "Moehrke, John (GE Healthcare)" <John.Moehrke@med.ge.com>, Rainer Gerhards <rgerhards@hq.adiscon.com>, "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, syslog <syslog@ietf.org>
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <124CF5A7D55D6F43A4FD9437F28254D8EED6CB@ALPMLVEM05.e2k.ad.ge.com>
Date: Thu, 29 May 2008 09:54:07 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "tom.petch" <cfinss@dial.pipex.com>
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org

----- Original Message -----
From: "Moehrke, John (GE Healthcare)" <John.Moehrke@med.ge.com>
To: "Rainer Gerhards" <rgerhards@hq.adiscon.com>; "Joseph Salowey (jsalowey)"
<jsalowey@cisco.com>; <syslog@ietf.org>
Sent: Tuesday, May 27, 2008 12:15 AM
Subject: Re: [Syslog] Some revised text for syslog TLS


> I have said this before, but people continue to go down this path...
>
> The TLS authentication has already proven that the 'other' side holds
> the private key... this is cryptographically secure authentication...
>

True, but authentication of what? This logic says you might as well use naked
public/private keys, as SSH does.  For me, the point of all the extra hassle of
certificates is that the keys are bound to an identity/identifier so you can
tell, to some degree (depending on what checks the CA has performed) to whom you
are talking.  Then it becomes a question of what identifier to use, CN, MAC,
etc.

At something of a tangent, I see work in RIPE (and the IETF) to use (R)PKI to
secure the routing system so it will become possible to authenticate the
assignee of an IP address.  Not directly applicable, but encouraging both for
the use of PKI and for the acceptability of IP addresses therein.

Tom Petch

> Adding a check of the IP address or DNS address adds very very little
> value, and is not cryptographically secure (unless using Secure DNS).
>
> Therefore there is little value to adding IP or hostname checking, and
> lots of ways it will break (NAT, DHCP, etc).
>
> John
>
> > -----Original Message-----
> > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On
> Behalf
> > Of Rainer Gerhards
> > Sent: Monday, May 26, 2008 2:19 AM
> > To: Joseph Salowey (jsalowey); syslog@ietf.org
> > Subject: Re: [Syslog] Some revised text for syslog TLS
>

_______________________________________________
Syslog mailing list
Syslog@ietf.org
https://www.ietf.org/mailman/listinfo/syslog

v2.23.0 | Report a Bug | By Email