Hi,
On Thu, 8 May 2008, Rainer Gerhards wrote:
<some elided for brevity>
> However, I wonder why it would be useful to auto-generate certs.
> Probably I am overlooking somehting obvious. But: isn't cert
> auto-generation equal to no authentication? After all, if a
> *self-signed* cert is generated by the remote peer AND we accept it,
> doesn't that essentially mean we accept any peer because the peer can
> put whatever it likes into the cert? I do not see why this is any better
> than having no cert at all...
It minimally protects against masquerade and disclosure, two of the
threats we agreed upon. It will also provide a TCP-based transport for
anyone who wishes/needs to have a mechanism to throttle the flow of
packets for congestion control - something that you cannot do with the UDP
transport.
Those are the reasons I can think of. You do raise a good point by
questioning this and I'd like to see some discussion from the WG. Are
these reasons sufficient to keep self-signed certs in the specification?
If so, should specific comments be made about their use?
WG Chair Hat sort'a on, sort'a off: I'm thinking that a self-signed cert
is the method of least effort to provide congestion control for syslog and
it should be included in the document just for that reason. This was the
objection raised by the Transport ADs when they saw that
syslog-transport-udp was the only REQUIRED transport. I agree that
self-signed certs don't really provide good protection and that should be
noted in the Security Considerations Section. If you don't agree with
this, please object now.
If you do agree with this, does the following text work:
===
(Perhaps as a third paragraph in Section 4.2.4)
Self-signed certificates will provide minimal protection against
modification and disclosure. Their use will not provide effective
protection against masqeurade unless they are used with certificate
fingerprint authorization lists. The use of self-signed certificates
without certificate fingerprint authorization lists is NOT RECOMMENDED.
However since tls is a tcp-based protocol, enabling tls, even with
self-signed certificates, will effectively enable congestion control in
the network. See Section 8.6 of [syslog-protocol].
And perhaps merge the first three sentences of the above with the second
paragraph in Sec Considerations section 5.1. Current:
The use of self-signed certificates with certificate fingerprint
authorization lists provides more protection from masquerade and man-
in-the-middle attacks than forgoing certificate validation and
authorization.
===
Thanks,
Chris
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
