On Tue, 11 Jun 2002, Marc E. Mandel wrote:
> In response to Ron DuFresne:
> Baltimore's UniCERT product is designed to be a root CA and the digital
> signing of the log entry by its agent software upon creation of the log
> entry will meets the legal requirements for providing
> trustworthiness. Baltimore also operates a commercial CA if an
> organization prefers not to build its own CA infrastructure.
>
> Note that best practice would have the log entry signed at its creation by
> an internal trusted program, such as Baltimore's agent code. While you
> could send the entry to an external notary service for signing, such an
> approach would allow a narrow window for also sending false entries for
> signing. The external approach is good for producing evidence of when
> something occurred and ensuring the integrity of the contents of the log
> entry once it is signed. The only way that I know to prove that the log
> entry is original, would be to sign it as part of its creation. The public
> key infrastructure (PKI) software to accomplish this exists. It would be
> ideal to have it signed via an API call from within the firewall's logging
> code.
This still eaves me and/or my company in charge of all verification, there
is no 3rd party involved to verify my work and signature and such, one
might well do the same thing with home grown tools under openssl far
cheaper?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
