Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-09 Thread tom.petch
erts? Tom Petch - Original Message - From: <[EMAIL PROTECTED]> To: "'Sam Hartman'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 07, 2007 5:18 PM Subject: Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls transport-t

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-08 Thread Eliot Lear
This is precisely the sort of thing that RFC 3195 attempted. You want authenticated source? You can have it. You want authenticated server? You can have that too. You can even have unauthenticated server with authenticated client. As we've just released a revision draft, I suggest people

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-07 Thread robert . horn
EMAIL PROTECTED] | | cc: [EMAIL PROTECTED] | | Subject: Re: [Syslog] AD Review for draft-ietf-syslo

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-07 Thread Sam Hartman
It sounds like trust anchor selection (what security people talk about when the rest of the world talks about set of root CAs) is actually very important to you. It's just that you don't actually consider the traditional root CAs part of your trust anchor set; you have a much smaller trust anchor

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-07 Thread robert . horn
transport-tls should be designed to enable policy decisions. This group is not able to make policy decisions. Some of this discussion is really policy making. Policy discussions within syslog should be oriented towards ensuring that any reasonable policy can be properly supported. For example,

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-07 Thread Sam Hartman
> "Miao" == Miao Fuyou <[EMAIL PROTECTED]> writes: Miao> Yes, peer entity authentication is seperate from integrity, Miao> this is addressed in section 3 of the current Miao> document. Client only authenticaiton is not available in Miao> TLS, so I think it is safe to say "peer

RE: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-07 Thread Miao Fuyou
ROTECTED] > Sent: Tuesday, February 06, 2007 11:56 PM > To: Miao Fuyou > Cc: [EMAIL PROTECTED] > Subject: Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls > > I recommend that you drop message stream modification if my analysis > > [At this point, we're still

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-06 Thread Sam Hartman
I recommend that you drop message stream modification if my analysis [At this point, we're still figuring out what we want to say. I'm speaking as an individual not an AD.] of the charter is a correct analysis and we meant for that to apply to syslog-sign. I recommend you split out peer entity a

RE: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-06 Thread Miao Fuyou
artman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 31, 2007 5:37 PM > To: Miao Fuyou > Cc: [EMAIL PROTECTED] > Subject: Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls > > > I'll get back to you on the generic certificates issue. For > now, I recommend

RE: Relays was Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-05 Thread David Harrington
AIL PROTECTED] > Subject: Relays was Re: [Syslog] AD Review for > draft-ietf-syslog-transport-tls > > > > Tom Petch > > - Original Message - > From: "Miao Fuyou" <[EMAIL PROTECTED]> > To: "'Sam Hartman'" <[EMAIL PR

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-01 Thread Sam Hartman
> "Miao" == Miao Fuyou <[EMAIL PROTECTED]> writes: Miao> Section 2 identifies masquerade as a major security threat Miao> for syslog. In the draft, client authentication and server Miao> authentication are SHOULDs(server authenticaiton may be not Miao> spelled out explicitly).

RE: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-02-01 Thread Miao Fuyou
age- > From: Sam Hartman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 31, 2007 5:37 PM > To: Miao Fuyou > Cc: [EMAIL PROTECTED] > Subject: Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls > > > I'll get back to you on the generic certificates issue.

Relays was Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-01-31 Thread tom.petch
Tom Petch - Original Message - From: "Miao Fuyou" <[EMAIL PROTECTED]> To: "'Sam Hartman'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 31, 2007 5:50 AM Subject: RE: [Syslog] AD Review for draft-ietf-syslog-transp

Re: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-01-31 Thread Sam Hartman
I'll get back to you on the generic certificates issue. For now, I recommend you read RFC 4107. Also note that each device needs a unique MAC address so the manufacturing process tends to have a step for making a device unique. So, it sounds like all forms of authentication are optional in th

RE: [Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-01-30 Thread Miao Fuyou
Hi Sam, Thanks for the review! My response is inline. Regards, Miao > -Original Message- > From: Sam Hartman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 31, 2007 7:23 AM > To: [EMAIL PROTECTED] > Subject: [Syslog] AD Review for draft-ietf-syslog-transport-tl

[Syslog] AD Review for draft-ietf-syslog-transport-tls

2007-01-30 Thread Sam Hartman
Hi, folks. I had no comments on the UDP draft or the main protocol draft so I have forwarded them to IETF last call. I do have some concerns with the TLS draft. First, I think the idea of generic certificates will not meet with consensus of the security community. It may be OK to use the same