> Hi Rainer, > > I'm still not seeing too many responses about how TLS is > authenticated.
I guess you do not see them because most often it is used anonymous... As of my experience, people are concerend about message observation. Authentication is not their prime concern (my previous post detailled why it isn't - hint: Intranet, "authentication" via sender IP address). > Only Baszi has said that full X.509 certificates should be > used - similar > to how they are used in stunnel. Is this acceptable to the > WG? Anyhow, TLS authentication is pretty easy. If you do it as in stunnel (and that's always an option), you do not necessarily need to set up a full PKI. Files with the private keys do well. Distributing them to the senders should not be more hassle than distributing shared secrets. > Should > the WG also consider using PSKs as proposed in RFC 4279? > > Having authenticated TLS will address many of the threats > described in RFC > 3164. Is this how the Working Group wants to proceed? I'd > like to hear > from more people on this. I recommend -transport-tls with two modes: - unauthenticated TLS - authenticatated TLS both are mandatory to implement but the user can choose which one he needs (that means that nobody is forced to distribute certs or PKI if only message observation shall be mitigated). Rainer > > Thanks, > Chris > > On Wed, 18 Jan 2006, Rainer Gerhards wrote: > > > Chris, > > > >> I have not heard back from anyone about how SSL is currently being > >> implemented for syslog. From that, I might conclude that message > >> confidentiality is not a priority for the community. > >> (Responses to that > >> would be welcome.) > > > > I thought that these postings pointed out what is done: > > > > http://www.mail-archive.com/syslog%40lists.ietf.org/msg00421.html > > http://www.mail-archive.com/syslog%40lists.ietf.org/msg00420.html > > http://www.mail-archive.com/syslog%40lists.ietf.org/msg00432.html > > http://www.mail-archive.com/syslog%40lists.ietf.org/msg00411.html > > > > You might also want to review some of these documents: > > http://www.stunnel.org/examples/syslog-ng.html > > http://freshmeat.net/articles/view/1781/ > > > > Rainer > > > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
