From syslog-bounces@ietf.org Wed Jul 2 09:21:54 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A55453A6859; Wed, 2 Jul 2008 09:21:54 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D081A3A6859 for ; Wed, 2 Jul 2008 09:21:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.46 X-Spam-Level: X-Spam-Status: No, score=-0.46 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cToOKgTMwNGI for ; Wed, 2 Jul 2008 09:21:52 -0700 (PDT) Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id D2A013A677C for ; Wed, 2 Jul 2008 09:21:51 -0700 (PDT) Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 90ED93578BE for ; Wed, 2 Jul 2008 18:21:59 +0200 (CEST) X-Virus-Scanned: on mail at asta.uni-potsdam.de Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id EidTBUJHrwzq for ; Wed, 2 Jul 2008 18:21:48 +0200 (CEST) Received: from [141.89.58.181] (pc58-181.asta.uni-potsdam.de [141.89.58.181]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id C980C35780B for ; Wed, 2 Jul 2008 18:21:48 +0200 (CEST) Message-ID: <486BAB1B.7090302@mschuette.name> Date: Wed, 02 Jul 2008 18:21:47 +0200 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: syslog@ietf.org References: In-Reply-To: Subject: Re: [Syslog] Please review draft-ietf-syslog-transport-tls X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Chris Lonvick schrieb: > We're getting very close on this. Can we get some people to look it > over and let us know what you think? I'm OK with it. In case someone's interested: I wrote a small comparison between the current draft and my implentation in NetBSD's syslogd at http://mschuette.name/wp/2008/07/02/the-state-of-transport-tls-and-its-implementation/ -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Fri Jul 11 09:52:05 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D4E4B28C243; Fri, 11 Jul 2008 09:52:05 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 973E028C24B for ; Fri, 11 Jul 2008 09:52:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSaXJ3vvotA9 for ; Fri, 11 Jul 2008 09:52:03 -0700 (PDT) Received: from mornm01-out.agfa.com (mornm01-out.agfa.com [134.54.1.75]) by core3.amsl.com (Postfix) with ESMTP id 15B8A28C242 for ; Fri, 11 Jul 2008 09:52:02 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.30,346,1212357600"; d="scan'208";a="50841282" Received: from morswa037.agfa.be (HELO morswa037.be.local) ([10.232.220.21]) by mornm01-out.agfa.com with ESMTP; 11 Jul 2008 18:52:08 +0200 In-Reply-To: To: clonvick@cisco.com, syslog@ietf.org MIME-Version: 1.0 Message-ID: From: robert.horn@agfa.com Date: Fri, 11 Jul 2008 12:52:06 -0400 Subject: Re: [Syslog] Please review draft-ietf-syslog-transport-tls X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org The syslog-transport-tls-13 looks OK. I have the following comments/questions but they might not need any document changes. 1) In 4.2, is this the proper words for dealing with ongoing changes to other standards and RFCs? Someday the SHA1 use will be deprecated. The people who do that probably are not syslog people and won't update this document. 2) In 5.2, name matching becomes much more complex when non-latin alphabets are included. Even the meaning of case-insensitive can become unclear. We deal with this routinely when doing person name matching and point to the Unicode TR-15 character matching rules and specify that the NFC rule set defines "equality". This is also the W3C recommendation. We then note that culture specific matching rules may be needed, e.g., the alternative encodings of "Strasser" in German, are not "equal" by the NFC rules. Will this automatically flow through from the non-latin extensions for DNS and thus dnsName, or is something needed here? I expect that there will still be implementer questions about some of the fingerprint and other rules, but these requirements are clear about the wire protocol. It's not specific and should not be regarding user interface and configuration files. So I agree with what is written. Kind Regards, Robert Horn | Agfa HealthCare Research Scientist | HE/Technology Office T +1 978 897 4860 Agfa HealthCare Corporation, 100 Challenger Road, Ridgefield Park, NJ, 07660-2199, United States http://www.agfa.com/healthcare/ Click on link to read important disclaimer: http://www.agfa.com/healthcare/maildisclaimer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Tue Jul 15 08:41:31 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 259BA3A69D2; Tue, 15 Jul 2008 08:41:31 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CDE13A691C for ; Tue, 15 Jul 2008 08:41:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.004 X-Spam-Level: X-Spam-Status: No, score=-0.004 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mK2bz6PlQh3I for ; Tue, 15 Jul 2008 08:41:28 -0700 (PDT) Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by core3.amsl.com (Postfix) with ESMTP id A3A9C3A69D2 for ; Tue, 15 Jul 2008 08:41:27 -0700 (PDT) Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id 09C36276114 for ; Tue, 15 Jul 2008 17:41:52 +0200 (CEST) From: Balazs Scheidler To: syslog@ietf.org Date: Tue, 15 Jul 2008 17:41:52 +0200 Message-Id: <1216136512.14605.36.camel@bzorp.balabit> Mime-Version: 1.0 Subject: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Dear syslog working group, I'd have a question regarding the syslog-protocol RFCs, more specifically about the "sequenceId" portion of the "meta" structured data element. The definition of sequenceId states: "7.3.1. sequenceId The "sequenceId" parameter tracks the sequence in which the syslog application submits messages to the syslog transport for sending. It is an integer that MUST be set to 1 when the syslog function is started and MUST be increased with every message up to a maximum value of 2147483647. If that value is reached, the next message MUST be sent with a sequenceId of 1." I see a couple of problems: 1) It is not stated clearly in the RFC, what relays may or may not do with structured data. 2) By reading the definition above, I understand that each relay must generate a new sequenceId for every message, e.g. the collector sees the sequence id generated by the last hop, and not the sequenceId sent by the originator of the message. 3) if the relay is permitted to change the structured-data portion (and the current sequenceId definition mandates this IMHO), how will this work with things like signed messages? My questions: - Was this the original intent with "sequenceId"? - I think some clarification about the role of relays regarding structured-data handling would be needed in the RFC. -- Bazsi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Tue Jul 15 11:52:23 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0EEF3A6961; Tue, 15 Jul 2008 11:52:23 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D2AD3A693A for ; Tue, 15 Jul 2008 11:52:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snONnXNlSFYw for ; Tue, 15 Jul 2008 11:52:22 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id B66CF3A689F for ; Tue, 15 Jul 2008 11:52:21 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.30,367,1212364800"; d="scan'208";a="53322931" Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 15 Jul 2008 18:52:33 +0000 Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m6FIqXcP022088; Tue, 15 Jul 2008 11:52:33 -0700 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.20.39]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m6FIqXCO026950; Tue, 15 Jul 2008 18:52:33 GMT Date: Tue, 15 Jul 2008 11:52:33 -0700 (PDT) From: Chris Lonvick To: Balazs Scheidler In-Reply-To: <1216136512.14605.36.camel@bzorp.balabit> Message-ID: References: <1216136512.14605.36.camel@bzorp.balabit> MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2535; t=1216147953; x=1217011953; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20 |Subject:=20Re=3A=20[Syslog]=20sequenceId=20and=20relaying |Sender:=20; bh=J2K99hFtScF5KeYn2LdJwjsaWEVtWDCocYzvgY7vztM=; b=HAjJlX4MvpDNw4wXZ8Yfwt347gq1kWwma4t6B0c8nTtElbe0zCZFhT2XP+ VmJ5JDpxSIDA5+ydNHYDx0V55DEjk4tqFeI3ww3ACVBPmK2WyTeP+AHuYAyg gv3Cug8W1xIXJmQYVtBUIg9cBKXF1/xL465Bvbj8cKtVTAT8fUyBA=; Authentication-Results: sj-dkim-1; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; ); Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Hi, Section 5 says: Any syslog transport protocol MUST NOT deliberately alter the syslog message. If the transport protocol needs to perform temporary transformations at the transport sender, these transformations MUST be reversed by the transport protocol at the transport receiver, so that relay or collector will see an exact copy of the message generated by the originator or relay. Otherwise end-to-end cryptographic verifiers (such as signatures) will be broken. Of course, message alteration might occur due to transmission errors or other problems. Guarding against such alterations is not within the scope of this document. I think that clearly states that the relay MUST NOT make any changes to the sequenceID nor to any other SD-ID of messages passing through them. Thanks, Chris On Tue, 15 Jul 2008, Balazs Scheidler wrote: > Dear syslog working group, > > I'd have a question regarding the syslog-protocol RFCs, more > specifically about the "sequenceId" portion of the "meta" structured > data element. > > The definition of sequenceId states: > > "7.3.1. sequenceId > > The "sequenceId" parameter tracks the sequence in which the syslog > application submits messages to the syslog transport for sending. It > is an integer that MUST be set to 1 when the syslog function is > started and MUST be increased with every message up to a maximum > value of 2147483647. If that value is reached, the next message MUST > be sent with a sequenceId of 1." > > I see a couple of problems: > 1) It is not stated clearly in the RFC, what relays may or may not do > with structured data. > 2) By reading the definition above, I understand that each relay must > generate a new sequenceId for every message, e.g. the collector sees > the sequence id generated by the last hop, and not the sequenceId > sent by the originator of the message. > 3) if the relay is permitted to change the structured-data portion > (and the current sequenceId definition mandates this IMHO), how > will this work with things like signed messages? > > My questions: > - Was this the original intent with "sequenceId"? > - I think some clarification about the role of relays regarding > structured-data handling would be needed in the RFC. > > -- > Bazsi > > > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 16 01:38:20 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 63CC328C19C; Wed, 16 Jul 2008 01:38:20 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCBE928C19C for ; Wed, 16 Jul 2008 01:38:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.004 X-Spam-Level: X-Spam-Status: No, score=-0.004 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldNHND-5SkgX for ; Wed, 16 Jul 2008 01:38:18 -0700 (PDT) Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by core3.amsl.com (Postfix) with ESMTP id B33003A6881 for ; Wed, 16 Jul 2008 01:38:16 -0700 (PDT) Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id 3275339D357 for ; Wed, 16 Jul 2008 10:38:44 +0200 (CEST) From: Balazs Scheidler To: Chris Lonvick In-Reply-To: References: <1216136512.14605.36.camel@bzorp.balabit> Date: Wed, 16 Jul 2008 10:38:42 +0200 Message-Id: <1216197522.7409.12.camel@bzorp.balabit> Mime-Version: 1.0 Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org T24gVHVlLCAyMDA4LTA3LTE1IGF0IDExOjUyIC0wNzAwLCBDaHJpcyBMb252aWNrIHdyb3RlOgo+ IEhpLAo+IAo+IFNlY3Rpb24gNSBzYXlzOgo+ICAgICBBbnkgc3lzbG9nIHRyYW5zcG9ydCBwcm90 b2NvbCBNVVNUIE5PVCBkZWxpYmVyYXRlbHkgYWx0ZXIgdGhlIHN5c2xvZwo+ICAgICBtZXNzYWdl LiAgSWYgdGhlIHRyYW5zcG9ydCBwcm90b2NvbCBuZWVkcyB0byBwZXJmb3JtIHRlbXBvcmFyeQo+ ICAgICB0cmFuc2Zvcm1hdGlvbnMgYXQgdGhlIHRyYW5zcG9ydCBzZW5kZXIsIHRoZXNlIHRyYW5z Zm9ybWF0aW9ucyBNVVNUCj4gICAgIGJlIHJldmVyc2VkIGJ5IHRoZSB0cmFuc3BvcnQgcHJvdG9j b2wgYXQgdGhlIHRyYW5zcG9ydCByZWNlaXZlciwgc28KPiAgICAgdGhhdCByZWxheSBvciBjb2xs ZWN0b3Igd2lsbCBzZWUgYW4gZXhhY3QgY29weSBvZiB0aGUgbWVzc2FnZQo+ICAgICBnZW5lcmF0 ZWQgYnkgdGhlIG9yaWdpbmF0b3Igb3IgcmVsYXkuICBPdGhlcndpc2UgZW5kLXRvLWVuZAo+ICAg ICBjcnlwdG9ncmFwaGljIHZlcmlmaWVycyAoc3VjaCBhcyBzaWduYXR1cmVzKSB3aWxsIGJlIGJy b2tlbi4gIE9mCj4gICAgIGNvdXJzZSwgbWVzc2FnZSBhbHRlcmF0aW9uIG1pZ2h0IG9jY3VyIGR1 ZSB0byB0cmFuc21pc3Npb24gZXJyb3JzIG9yCj4gICAgIG90aGVyIHByb2JsZW1zLiAgR3VhcmRp bmcgYWdhaW5zdCBzdWNoIGFsdGVyYXRpb25zIGlzIG5vdCB3aXRoaW4gdGhlCj4gICAgIHNjb3Bl IG9mIHRoaXMgZG9jdW1lbnQuCj4gCj4gSSB0aGluayB0aGF0IGNsZWFybHkgc3RhdGVzIHRoYXQg dGhlIHJlbGF5IE1VU1QgTk9UIG1ha2UgYW55IGNoYW5nZXMgdG8gCj4gdGhlIHNlcXVlbmNlSUQg bm9yIHRvIGFueSBvdGhlciBTRC1JRCBvZiBtZXNzYWdlcyBwYXNzaW5nIHRocm91Z2ggdGhlbS4K PiAKCkkgZGlzYWdyZWUsIGEgcmVsYXkgaXMgbm90IG1lcmVseSBhIHRyYW5zcG9ydC4gSWYgaXQg d2FzIGl0IGNvdWxkbid0CmRyb3AgbWVzc2FnZXMgYmFzZWQgb24gZmlsdGVyaW5nLCB3aGljaCBp dCBpcyBhbGxvd2VkIHRvIGRvLgoKSW4gdGhlIHNhbWUgcGFyYWdyYXBoIGFib3ZlOiAi77u/c28g dGhhdCBfUkVMQVlfIG9yIGNvbGxlY3RvciB3aWxsIHNlZSBhbgpleGFjdCBjb3B5IG9mIHRoZSBt ZXNzYWdlIGdlbmVyYXRlZCBieSB0aGUgb3JpZ2luYXRvciBvcgpyZWxheS4iIChlbXBoYXNpcyBp cyBtaW5lKS4KCkZvciBtZSwgdGhpcyBib2lscyBkb3duIHRvOiB0aGUgcmVsYXkgX09SXyBjb2xs ZWN0b3IgcmVjZWl2ZSBtZXNzYWdlcwpmcm9tIHRoZSB0cmFuc3BvcnQsIGFuZCB0aGUgdHJhbnNw b3J0IGxheWVyIG1heSBub3QgbW9kaWZ5IG1lc3NhZ2VzLgpUaGlzIEkgY29tcGxldGVseSBhZ3Jl ZSB3aXRoLCBidXQgdHJhbnNwb3J0IGlzIHRoZSBsYXllciB0aGF0IGFkZHMKZnJhbWluZyBhbmQg cHVzaGVzIGEgc3lzbG9nIG1lc3NhZ2UgdG8gdGhlIHdpcmUuCgpJZiByZWxheXMgYXJlIGNvbXBs ZXRlbHkgZGlzYWxsb3dlZCB0byBtb2RpZnkgbWVzc2FnZXMgdGhlbiB0aGVyZSdzIG5vCm1pZ3Jh dGlvbiBwYXRoIGZvciB0aGUgbmV3IHN5c2xvZyBwcm90b2NvbCwgd2UncmUgZ29pbmcgdG8gaGF2 ZSBsZWdhY3kKc3lzbG9nIG1lc3NhZ2VzIGZyb20gZXhpc3RpbmcgZGV2aWNlcyBmb3IgYXQgbGVh c3QgYSBkZWNhZGUsIGlmIHJlbGF5cwphcmUgbm90IGFsbG93ZWQgdG8gY2hhbmdlIHRoZSBmb3Jt YXQgdG8gdGhlIG5ldyBwcm90b2NvbCBzdHlsZSwgd2UnbGwKbmV2ZXIgcmVhbGx5IG1pZ3JhdGUg dG8gc3lzbG9nLXByb3RvY29sLiBBbmQgdGhlcmUncyBtZXJpdCBpbiBhZGRpbmcgbmV3CmluZm9y bWF0aW9uIHRvIHRoZSBzeXNsb2cgcGFja2V0IGFzIGl0IGdvZXMgdGhyb3VnaCB0aGUgcmVsYXkg bmV0d29yay4KKGZvciBpbnN0YW5jZSBhbm90aGVyIHRpbWVzdGFtcCB0aGF0IGNhbiBiZSB0cnVz dGVkIHdoZXJlYXMgdGhlCm9yaWdpbmF0aW5nIHRpbWVzdGFtcCBjYW5ub3QgYmUpCgpBbHNvLCBp ZiB0aGUgc2VxdWVuY2VJZCBpcyBhbiBlbmQtdG8tZW5kIGlkZW50aWZpZXIgKHdoaWNoIGl0IGlz IGlmIApyZWxheXMgYXJlIG5vdCBhbGxvd2VkIHRvIGNoYW5nZSB0aGUgU0QgZGF0YSksIHRoZW4g dGhlIHNlcXVlbmNlSWQgaXMgCm5vdCByZWFsbHkgdXNlZnVsIGluIHRoZSBjb2xsZWN0b3IgaWYg b25lIG9mIHRoZSByZWxheXMgb24gdGhlIHBhdGggZHJvcCAKbWVzc2FnZXMgYnkgaW50ZW50LgoK SSB0aGluayB0d28gaWRlbnRpZmllcnMgYXJlIG5lZWRlZDoKIDEpIG9uZSBmb3IgaWRlbnRpZnlp bmcgdGhlIG1lc3NhZ2UgaG9wLWJ5LWhvcCwgdGhpcyBpcyBhbHdheXMgaW5jcmVhc2luZyAKICAg ICh0byBkZXRlcm1pbmUgd2hldGhlciB3ZSBsb3N0IG1lc3NhZ2VzIGJlY2F1c2Ugb2YgdGhlIHRy YW5zcG9ydCkKIDIpIG9uZSBmb3IgaWRlbnRpZnlpbmcgdGhlIG1lc3NhZ2UgZW5kLXRvLWVuZCwg d2hpY2ggaXMgbm90IGEgc2VxdWVuY2UgCiAgICBudW1iZXIsIGJ1dCBhIHVuaXF1ZSBpZGVudGlm aWVyCgpPZiBjb3Vyc2UgSSBjYW4gYWxzbyBsaXZlIHdpdGggdGhlIGlkZWEgb2YgdXNpbmcgdGhl IHNlcXVlbmNlSWQgCmVuZC10by1lbmQsIGJ1dCBJIGRvbid0IHNlZSB0aGlzIHN0YXRlZCBpbiB0 aGUgUkZDLgoKPiAKPiBUaGFua3MsCj4gQ2hyaXMKPiAKPiBPbiBUdWUsIDE1IEp1bCAyMDA4LCBC YWxhenMgU2NoZWlkbGVyIHdyb3RlOgo+IAo+ID4gRGVhciBzeXNsb2cgd29ya2luZyBncm91cCwK PiA+Cj4gPiBJJ2QgaGF2ZSBhIHF1ZXN0aW9uIHJlZ2FyZGluZyB0aGUgc3lzbG9nLXByb3RvY29s IFJGQ3MsIG1vcmUKPiA+IHNwZWNpZmljYWxseSBhYm91dCB0aGUgInNlcXVlbmNlSWQiIHBvcnRp b24gb2YgdGhlICJtZXRhIiBzdHJ1Y3R1cmVkCj4gPiBkYXRhIGVsZW1lbnQuCj4gPgo+ID4gVGhl IGRlZmluaXRpb24gb2Ygc2VxdWVuY2VJZCBzdGF0ZXM6Cj4gPgo+ID4gIjcuMy4xLiAgc2VxdWVu Y2VJZAo+ID4KPiA+ICAgVGhlICJzZXF1ZW5jZUlkIiBwYXJhbWV0ZXIgdHJhY2tzIHRoZSBzZXF1 ZW5jZSBpbiB3aGljaCB0aGUgc3lzbG9nCj4gPiAgIGFwcGxpY2F0aW9uIHN1Ym1pdHMgbWVzc2Fn ZXMgdG8gdGhlIHN5c2xvZyB0cmFuc3BvcnQgZm9yIHNlbmRpbmcuICBJdAo+ID4gICBpcyBhbiBp bnRlZ2VyIHRoYXQgTVVTVCBiZSBzZXQgdG8gMSB3aGVuIHRoZSBzeXNsb2cgZnVuY3Rpb24gaXMK PiA+ICAgc3RhcnRlZCBhbmQgTVVTVCBiZSBpbmNyZWFzZWQgd2l0aCBldmVyeSBtZXNzYWdlIHVw IHRvIGEgbWF4aW11bQo+ID4gICB2YWx1ZSBvZiAyMTQ3NDgzNjQ3LiAgSWYgdGhhdCB2YWx1ZSBp cyByZWFjaGVkLCB0aGUgbmV4dCBtZXNzYWdlIE1VU1QKPiA+ICAgYmUgc2VudCB3aXRoIGEgc2Vx dWVuY2VJZCBvZiAxLiIKPiA+Cj4gPiBJIHNlZSBhIGNvdXBsZSBvZiBwcm9ibGVtczoKPiA+ICAx KSBJdCBpcyBub3Qgc3RhdGVkIGNsZWFybHkgaW4gdGhlIFJGQywgd2hhdCByZWxheXMgbWF5IG9y IG1heSBub3QgZG8KPiA+ICAgIHdpdGggc3RydWN0dXJlZCBkYXRhLgo+ID4gIDIpIEJ5IHJlYWRp bmcgdGhlIGRlZmluaXRpb24gYWJvdmUsIEkgdW5kZXJzdGFuZCB0aGF0IGVhY2ggcmVsYXkgbXVz dAo+ID4gICAgZ2VuZXJhdGUgYSBuZXcgc2VxdWVuY2VJZCBmb3IgZXZlcnkgbWVzc2FnZSwgZS5n LiB0aGUgY29sbGVjdG9yIHNlZXMKPiA+ICAgIHRoZSBzZXF1ZW5jZSBpZCBnZW5lcmF0ZWQgYnkg dGhlIGxhc3QgaG9wLCBhbmQgbm90IHRoZSBzZXF1ZW5jZUlkCj4gPiAgICBzZW50IGJ5IHRoZSBv cmlnaW5hdG9yIG9mIHRoZSBtZXNzYWdlLgo+ID4gIDMpIGlmIHRoZSByZWxheSBpcyBwZXJtaXR0 ZWQgdG8gY2hhbmdlIHRoZSBzdHJ1Y3R1cmVkLWRhdGEgcG9ydGlvbgo+ID4gICAgIChhbmQgdGhl IGN1cnJlbnQgc2VxdWVuY2VJZCBkZWZpbml0aW9uIG1hbmRhdGVzIHRoaXMgSU1ITyksIGhvdwo+ ID4gICAgIHdpbGwgdGhpcyB3b3JrIHdpdGggdGhpbmdzIGxpa2Ugc2lnbmVkIG1lc3NhZ2VzPwo+ ID4KPiA+IE15IHF1ZXN0aW9uczoKPiA+ICAtIFdhcyB0aGlzIHRoZSBvcmlnaW5hbCBpbnRlbnQg d2l0aCAic2VxdWVuY2VJZCI/Cj4gPiAgLSBJIHRoaW5rIHNvbWUgY2xhcmlmaWNhdGlvbiBhYm91 dCB0aGUgcm9sZSBvZiByZWxheXMgcmVnYXJkaW5nCj4gPiAgICBzdHJ1Y3R1cmVkLWRhdGEgaGFu ZGxpbmcgd291bGQgYmUgbmVlZGVkIGluIHRoZSBSRkMuCj4gPgo+ID4gLS0gCj4gPiBCYXpzaQo+ ID4KPiA+Cj4gPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f Xwo+ID4gU3lzbG9nIG1haWxpbmcgbGlzdAo+ID4gU3lzbG9nQGlldGYub3JnCj4gPiBodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3N5c2xvZwo+ID4KCi0tIApCYXpzaQoKX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KU3lzbG9nIG1haWxp bmcgbGlzdApTeXNsb2dAaWV0Zi5vcmcKaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0 aW5mby9zeXNsb2cK From syslog-bounces@ietf.org Wed Jul 16 02:07:13 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DC9F28C293; Wed, 16 Jul 2008 02:07:13 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73C9728C1BE for ; Wed, 16 Jul 2008 02:07:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqbhooYDT1Zd for ; Wed, 16 Jul 2008 02:07:10 -0700 (PDT) Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 01E8628C205 for ; Wed, 16 Jul 2008 02:07:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 5C9507AE9AD; Wed, 16 Jul 2008 11:05:08 +0200 (CEST) Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jbJehEDuAqC8; Wed, 16 Jul 2008 11:05:08 +0200 (CEST) Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 07FBC7AE8DD; Wed, 16 Jul 2008 11:05:07 +0200 (CEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 16 Jul 2008 11:07:29 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> In-Reply-To: <1216197522.7409.12.camel@bzorp.balabit> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] sequenceId and relaying Thread-Index: AcjnH2L8Tp0k0JCyS/aWOWbPjDSx1QAA2yeg References: <1216136512.14605.36.camel@bzorp.balabit> <1216197522.7409.12.camel@bzorp.balabit> From: "Rainer Gerhards" To: "Balazs Scheidler" , "Chris Lonvick" Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org SGkgYWxsLA0KDQp0aGUgaW50ZW50IGlzIGVuZC10by1lbmQuIEl0IGdvdCBtYW5nbGVkIGR1cmlu ZyB0aGUgIm5hbWUgd2FycyIgb2Ygc3lzbG9nIGFwcGxpY2F0aW9uL3NlbmRlci9yZWNlaXZlci9v cmlnaW5hdG9yIGV0Yy4gVG8gcmVzdG9yZSB0aGUgb3JpZ2luYWwgbWVhbmluZywgd2UgY291bGQg ZG8gKGR1cmluZyBhdXRoNDggaWYgdGhlcmUgaXMgY29uc2Vuc3VzKToNCg0KIyMjDQpUaGUgInNl cXVlbmNlSWQiIHBhcmFtZXRlciB0cmFja3MgdGhlIHNlcXVlbmNlIGluIHdoaWNoIHRoZSAqKipv cmlnaW5hdG9yKioqIHN1Ym1pdHMNCiMjIw0KDQpBbnl0aGluZyBiZXlvbmQgdGhpcyBpcyBmb3Ig dGhlIG5leHQgdmVyc2lvbi4gSSB2aW9sZW50bHkgb2JqZWN0IGFueSBjaGFuZ2UgdGhhdCBicmlu Z3MgdXMgb3V0IG9mIHRoZSBSRkMgZWRpdG9yIHB1Ymxpc2hpbmcgcXVldWUgYWZ0ZXIgd2UgaGF2 ZSBmaW5hbGx5IHJlYWNoZWQgdGhpcyBzdGF0ZSBhZnRlciB5ZWFycyBhbmQgeWVhcnMuLi4gSSBz YXkgdGhpcyBldmVuIHRob3VnaCBJIHRlbmQgdG8gYWdyZWUgdG8gQmF6c2kgb24gbWFueSBwb2lu dHMuDQoNClJhaW5lcg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IHN5 c2xvZy1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86c3lzbG9nLWJvdW5jZXNAaWV0Zi5vcmddIE9u DQo+IEJlaGFsZiBPZiBCYWxhenMgU2NoZWlkbGVyDQo+IFNlbnQ6IFdlZG5lc2RheSwgSnVseSAx NiwgMjAwOCAxMDozOSBBTQ0KPiBUbzogQ2hyaXMgTG9udmljaw0KPiBDYzogc3lzbG9nQGlldGYu b3JnDQo+IFN1YmplY3Q6IFJlOiBbU3lzbG9nXSBzZXF1ZW5jZUlkIGFuZCByZWxheWluZw0KPiAN Cj4gT24gVHVlLCAyMDA4LTA3LTE1IGF0IDExOjUyIC0wNzAwLCBDaHJpcyBMb252aWNrIHdyb3Rl Og0KPiA+IEhpLA0KPiA+DQo+ID4gU2VjdGlvbiA1IHNheXM6DQo+ID4gICAgIEFueSBzeXNsb2cg dHJhbnNwb3J0IHByb3RvY29sIE1VU1QgTk9UIGRlbGliZXJhdGVseSBhbHRlciB0aGUNCj4gc3lz bG9nDQo+ID4gICAgIG1lc3NhZ2UuICBJZiB0aGUgdHJhbnNwb3J0IHByb3RvY29sIG5lZWRzIHRv IHBlcmZvcm0gdGVtcG9yYXJ5DQo+ID4gICAgIHRyYW5zZm9ybWF0aW9ucyBhdCB0aGUgdHJhbnNw b3J0IHNlbmRlciwgdGhlc2UgdHJhbnNmb3JtYXRpb25zDQo+IE1VU1QNCj4gPiAgICAgYmUgcmV2 ZXJzZWQgYnkgdGhlIHRyYW5zcG9ydCBwcm90b2NvbCBhdCB0aGUgdHJhbnNwb3J0IHJlY2VpdmVy LA0KPiBzbw0KPiA+ICAgICB0aGF0IHJlbGF5IG9yIGNvbGxlY3RvciB3aWxsIHNlZSBhbiBleGFj dCBjb3B5IG9mIHRoZSBtZXNzYWdlDQo+ID4gICAgIGdlbmVyYXRlZCBieSB0aGUgb3JpZ2luYXRv ciBvciByZWxheS4gIE90aGVyd2lzZSBlbmQtdG8tZW5kDQo+ID4gICAgIGNyeXB0b2dyYXBoaWMg dmVyaWZpZXJzIChzdWNoIGFzIHNpZ25hdHVyZXMpIHdpbGwgYmUgYnJva2VuLiAgT2YNCj4gPiAg ICAgY291cnNlLCBtZXNzYWdlIGFsdGVyYXRpb24gbWlnaHQgb2NjdXIgZHVlIHRvIHRyYW5zbWlz c2lvbiBlcnJvcnMNCj4gb3INCj4gPiAgICAgb3RoZXIgcHJvYmxlbXMuICBHdWFyZGluZyBhZ2Fp bnN0IHN1Y2ggYWx0ZXJhdGlvbnMgaXMgbm90IHdpdGhpbg0KPiB0aGUNCj4gPiAgICAgc2NvcGUg b2YgdGhpcyBkb2N1bWVudC4NCj4gPg0KPiA+IEkgdGhpbmsgdGhhdCBjbGVhcmx5IHN0YXRlcyB0 aGF0IHRoZSByZWxheSBNVVNUIE5PVCBtYWtlIGFueSBjaGFuZ2VzDQo+IHRvDQo+ID4gdGhlIHNl cXVlbmNlSUQgbm9yIHRvIGFueSBvdGhlciBTRC1JRCBvZiBtZXNzYWdlcyBwYXNzaW5nIHRocm91 Z2gNCj4gdGhlbS4NCj4gPg0KPiANCj4gSSBkaXNhZ3JlZSwgYSByZWxheSBpcyBub3QgbWVyZWx5 IGEgdHJhbnNwb3J0LiBJZiBpdCB3YXMgaXQgY291bGRuJ3QNCj4gZHJvcCBtZXNzYWdlcyBiYXNl ZCBvbiBmaWx0ZXJpbmcsIHdoaWNoIGl0IGlzIGFsbG93ZWQgdG8gZG8uDQo+IA0KPiBJbiB0aGUg c2FtZSBwYXJhZ3JhcGggYWJvdmU6ICLvu79zbyB0aGF0IF9SRUxBWV8gb3IgY29sbGVjdG9yIHdp bGwgc2VlIGFuDQo+IGV4YWN0IGNvcHkgb2YgdGhlIG1lc3NhZ2UgZ2VuZXJhdGVkIGJ5IHRoZSBv cmlnaW5hdG9yIG9yDQo+IHJlbGF5LiIgKGVtcGhhc2lzIGlzIG1pbmUpLg0KPiANCj4gRm9yIG1l LCB0aGlzIGJvaWxzIGRvd24gdG86IHRoZSByZWxheSBfT1JfIGNvbGxlY3RvciByZWNlaXZlIG1l c3NhZ2VzDQo+IGZyb20gdGhlIHRyYW5zcG9ydCwgYW5kIHRoZSB0cmFuc3BvcnQgbGF5ZXIgbWF5 IG5vdCBtb2RpZnkgbWVzc2FnZXMuDQo+IFRoaXMgSSBjb21wbGV0ZWx5IGFncmVlIHdpdGgsIGJ1 dCB0cmFuc3BvcnQgaXMgdGhlIGxheWVyIHRoYXQgYWRkcw0KPiBmcmFtaW5nIGFuZCBwdXNoZXMg YSBzeXNsb2cgbWVzc2FnZSB0byB0aGUgd2lyZS4NCj4gDQo+IElmIHJlbGF5cyBhcmUgY29tcGxl dGVseSBkaXNhbGxvd2VkIHRvIG1vZGlmeSBtZXNzYWdlcyB0aGVuIHRoZXJlJ3Mgbm8NCj4gbWln cmF0aW9uIHBhdGggZm9yIHRoZSBuZXcgc3lzbG9nIHByb3RvY29sLCB3ZSdyZSBnb2luZyB0byBo YXZlIGxlZ2FjeQ0KPiBzeXNsb2cgbWVzc2FnZXMgZnJvbSBleGlzdGluZyBkZXZpY2VzIGZvciBh dCBsZWFzdCBhIGRlY2FkZSwgaWYgcmVsYXlzDQo+IGFyZSBub3QgYWxsb3dlZCB0byBjaGFuZ2Ug dGhlIGZvcm1hdCB0byB0aGUgbmV3IHByb3RvY29sIHN0eWxlLCB3ZSdsbA0KPiBuZXZlciByZWFs bHkgbWlncmF0ZSB0byBzeXNsb2ctcHJvdG9jb2wuIEFuZCB0aGVyZSdzIG1lcml0IGluIGFkZGlu Zw0KPiBuZXcNCj4gaW5mb3JtYXRpb24gdG8gdGhlIHN5c2xvZyBwYWNrZXQgYXMgaXQgZ29lcyB0 aHJvdWdoIHRoZSByZWxheSBuZXR3b3JrLg0KPiAoZm9yIGluc3RhbmNlIGFub3RoZXIgdGltZXN0 YW1wIHRoYXQgY2FuIGJlIHRydXN0ZWQgd2hlcmVhcyB0aGUNCj4gb3JpZ2luYXRpbmcgdGltZXN0 YW1wIGNhbm5vdCBiZSkNCj4gDQo+IEFsc28sIGlmIHRoZSBzZXF1ZW5jZUlkIGlzIGFuIGVuZC10 by1lbmQgaWRlbnRpZmllciAod2hpY2ggaXQgaXMgaWYNCj4gcmVsYXlzIGFyZSBub3QgYWxsb3dl ZCB0byBjaGFuZ2UgdGhlIFNEIGRhdGEpLCB0aGVuIHRoZSBzZXF1ZW5jZUlkIGlzDQo+IG5vdCBy ZWFsbHkgdXNlZnVsIGluIHRoZSBjb2xsZWN0b3IgaWYgb25lIG9mIHRoZSByZWxheXMgb24gdGhl IHBhdGgNCj4gZHJvcA0KPiBtZXNzYWdlcyBieSBpbnRlbnQuDQo+IA0KPiBJIHRoaW5rIHR3byBp ZGVudGlmaWVycyBhcmUgbmVlZGVkOg0KPiAgMSkgb25lIGZvciBpZGVudGlmeWluZyB0aGUgbWVz c2FnZSBob3AtYnktaG9wLCB0aGlzIGlzIGFsd2F5cw0KPiBpbmNyZWFzaW5nDQo+ICAgICAodG8g ZGV0ZXJtaW5lIHdoZXRoZXIgd2UgbG9zdCBtZXNzYWdlcyBiZWNhdXNlIG9mIHRoZSB0cmFuc3Bv cnQpDQo+ICAyKSBvbmUgZm9yIGlkZW50aWZ5aW5nIHRoZSBtZXNzYWdlIGVuZC10by1lbmQsIHdo aWNoIGlzIG5vdCBhIHNlcXVlbmNlDQo+ICAgICBudW1iZXIsIGJ1dCBhIHVuaXF1ZSBpZGVudGlm aWVyDQo+IA0KPiBPZiBjb3Vyc2UgSSBjYW4gYWxzbyBsaXZlIHdpdGggdGhlIGlkZWEgb2YgdXNp bmcgdGhlIHNlcXVlbmNlSWQNCj4gZW5kLXRvLWVuZCwgYnV0IEkgZG9uJ3Qgc2VlIHRoaXMgc3Rh dGVkIGluIHRoZSBSRkMuDQo+IA0KPiA+DQo+ID4gVGhhbmtzLA0KPiA+IENocmlzDQo+ID4NCj4g PiBPbiBUdWUsIDE1IEp1bCAyMDA4LCBCYWxhenMgU2NoZWlkbGVyIHdyb3RlOg0KPiA+DQo+ID4g PiBEZWFyIHN5c2xvZyB3b3JraW5nIGdyb3VwLA0KPiA+ID4NCj4gPiA+IEknZCBoYXZlIGEgcXVl c3Rpb24gcmVnYXJkaW5nIHRoZSBzeXNsb2ctcHJvdG9jb2wgUkZDcywgbW9yZQ0KPiA+ID4gc3Bl Y2lmaWNhbGx5IGFib3V0IHRoZSAic2VxdWVuY2VJZCIgcG9ydGlvbiBvZiB0aGUgIm1ldGEiDQo+ IHN0cnVjdHVyZWQNCj4gPiA+IGRhdGEgZWxlbWVudC4NCj4gPiA+DQo+ID4gPiBUaGUgZGVmaW5p dGlvbiBvZiBzZXF1ZW5jZUlkIHN0YXRlczoNCj4gPiA+DQo+ID4gPiAiNy4zLjEuICBzZXF1ZW5j ZUlkDQo+ID4gPg0KPiA+ID4gICBUaGUgInNlcXVlbmNlSWQiIHBhcmFtZXRlciB0cmFja3MgdGhl IHNlcXVlbmNlIGluIHdoaWNoIHRoZQ0KPiBzeXNsb2cNCj4gPiA+ICAgYXBwbGljYXRpb24gc3Vi bWl0cyBtZXNzYWdlcyB0byB0aGUgc3lzbG9nIHRyYW5zcG9ydCBmb3Igc2VuZGluZy4NCj4gSXQN Cj4gPiA+ICAgaXMgYW4gaW50ZWdlciB0aGF0IE1VU1QgYmUgc2V0IHRvIDEgd2hlbiB0aGUgc3lz bG9nIGZ1bmN0aW9uIGlzDQo+ID4gPiAgIHN0YXJ0ZWQgYW5kIE1VU1QgYmUgaW5jcmVhc2VkIHdp dGggZXZlcnkgbWVzc2FnZSB1cCB0byBhIG1heGltdW0NCj4gPiA+ICAgdmFsdWUgb2YgMjE0NzQ4 MzY0Ny4gIElmIHRoYXQgdmFsdWUgaXMgcmVhY2hlZCwgdGhlIG5leHQgbWVzc2FnZQ0KPiBNVVNU DQo+ID4gPiAgIGJlIHNlbnQgd2l0aCBhIHNlcXVlbmNlSWQgb2YgMS4iDQo+ID4gPg0KPiA+ID4g SSBzZWUgYSBjb3VwbGUgb2YgcHJvYmxlbXM6DQo+ID4gPiAgMSkgSXQgaXMgbm90IHN0YXRlZCBj bGVhcmx5IGluIHRoZSBSRkMsIHdoYXQgcmVsYXlzIG1heSBvciBtYXkgbm90DQo+IGRvDQo+ID4g PiAgICB3aXRoIHN0cnVjdHVyZWQgZGF0YS4NCj4gPiA+ICAyKSBCeSByZWFkaW5nIHRoZSBkZWZp bml0aW9uIGFib3ZlLCBJIHVuZGVyc3RhbmQgdGhhdCBlYWNoIHJlbGF5DQo+IG11c3QNCj4gPiA+ ICAgIGdlbmVyYXRlIGEgbmV3IHNlcXVlbmNlSWQgZm9yIGV2ZXJ5IG1lc3NhZ2UsIGUuZy4gdGhl IGNvbGxlY3Rvcg0KPiBzZWVzDQo+ID4gPiAgICB0aGUgc2VxdWVuY2UgaWQgZ2VuZXJhdGVkIGJ5 IHRoZSBsYXN0IGhvcCwgYW5kIG5vdCB0aGUNCj4gc2VxdWVuY2VJZA0KPiA+ID4gICAgc2VudCBi eSB0aGUgb3JpZ2luYXRvciBvZiB0aGUgbWVzc2FnZS4NCj4gPiA+ICAzKSBpZiB0aGUgcmVsYXkg aXMgcGVybWl0dGVkIHRvIGNoYW5nZSB0aGUgc3RydWN0dXJlZC1kYXRhIHBvcnRpb24NCj4gPiA+ ICAgICAoYW5kIHRoZSBjdXJyZW50IHNlcXVlbmNlSWQgZGVmaW5pdGlvbiBtYW5kYXRlcyB0aGlz IElNSE8pLCBob3cNCj4gPiA+ICAgICB3aWxsIHRoaXMgd29yayB3aXRoIHRoaW5ncyBsaWtlIHNp Z25lZCBtZXNzYWdlcz8NCj4gPiA+DQo+ID4gPiBNeSBxdWVzdGlvbnM6DQo+ID4gPiAgLSBXYXMg dGhpcyB0aGUgb3JpZ2luYWwgaW50ZW50IHdpdGggInNlcXVlbmNlSWQiPw0KPiA+ID4gIC0gSSB0 aGluayBzb21lIGNsYXJpZmljYXRpb24gYWJvdXQgdGhlIHJvbGUgb2YgcmVsYXlzIHJlZ2FyZGlu Zw0KPiA+ID4gICAgc3RydWN0dXJlZC1kYXRhIGhhbmRsaW5nIHdvdWxkIGJlIG5lZWRlZCBpbiB0 aGUgUkZDLg0KPiA+ID4NCj4gPiA+IC0tDQo+ID4gPiBCYXpzaQ0KPiA+ID4NCj4gPiA+DQo+ID4g PiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiA+ID4g U3lzbG9nIG1haWxpbmcgbGlzdA0KPiA+ID4gU3lzbG9nQGlldGYub3JnDQo+ID4gPiBodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3N5c2xvZw0KPiA+ID4NCj4gDQo+IC0tDQo+ IEJhenNpDQo+IA0KPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fXw0KPiBTeXNsb2cgbWFpbGluZyBsaXN0DQo+IFN5c2xvZ0BpZXRmLm9yZw0KPiBodHRwczov L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3N5c2xvZw0KX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18KU3lzbG9nIG1haWxpbmcgbGlzdApTeXNsb2dA aWV0Zi5vcmcKaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zeXNsb2cK From syslog-bounces@ietf.org Wed Jul 16 04:20:19 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7237A3A686C; Wed, 16 Jul 2008 04:20:19 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B10F23A686C for ; Wed, 16 Jul 2008 04:20:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.004 X-Spam-Level: X-Spam-Status: No, score=-0.004 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRURSjPCUOoH for ; Wed, 16 Jul 2008 04:20:18 -0700 (PDT) Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by core3.amsl.com (Postfix) with ESMTP id D2C2A3A6846 for ; Wed, 16 Jul 2008 04:20:17 -0700 (PDT) Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id C8CDF276160 for ; Wed, 16 Jul 2008 13:20:44 +0200 (CEST) From: Balazs Scheidler To: Rainer Gerhards In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> References: <1216136512.14605.36.camel@bzorp.balabit> <1216197522.7409.12.camel@bzorp.balabit> <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> Date: Wed, 16 Jul 2008 13:20:39 +0200 Message-Id: <1216207239.7409.22.camel@bzorp.balabit> Mime-Version: 1.0 Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org On Wed, 2008-07-16 at 11:07 +0200, Rainer Gerhards wrote: > Hi all, > > the intent is end-to-end. It got mangled during the "name wars" of syslog application/sender/receiver/originator etc. To restore the original meaning, we could do (during auth48 if there is consensus): > > ### > The "sequenceId" parameter tracks the sequence in which the ***originator*** submits > ### > > Anything beyond this is for the next version. I violently object any change that brings us out of the RFC editor publishing queue after we have finally reached this state after years and years... I say this even though I tend to agree to Bazsi on many points. This is ok for me at this point of time, I'll act accordingly. However I see some ambiguities with relays and how relays are permitted to change messages, especially with syslog-sign in mind. -- Bazsi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 16 05:24:17 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C5083A6964; Wed, 16 Jul 2008 05:24:17 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 16C6E3A68BA for ; Wed, 16 Jul 2008 05:24:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NradeXYQFQxx for ; Wed, 16 Jul 2008 05:24:14 -0700 (PDT) Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 432043A6964 for ; Wed, 16 Jul 2008 05:24:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id CE7277AE9AD; Wed, 16 Jul 2008 14:21:00 +0200 (CEST) Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pywe3x5yZ3Cs; Wed, 16 Jul 2008 14:21:00 +0200 (CEST) Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 973E87AC99A; Wed, 16 Jul 2008 14:21:00 +0200 (CEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 16 Jul 2008 14:24:37 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA44EDEA@grfint2.intern.adiscon.com> In-Reply-To: <1216207239.7409.22.camel@bzorp.balabit> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] sequenceId and relaying Thread-Index: AcjnORoREpYJ2+T9S36KGhPXZGbbUAABV0zw References: <1216136512.14605.36.camel@bzorp.balabit> <1216197522.7409.12.camel@bzorp.balabit> <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> <1216207239.7409.22.camel@bzorp.balabit> From: "Rainer Gerhards" To: "Balazs Scheidler" Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org > -----Original Message----- > From: Balazs Scheidler [mailto:bazsi@balabit.hu] > Sent: Wednesday, July 16, 2008 1:21 PM > To: Rainer Gerhards > Cc: Chris Lonvick; syslog@ietf.org > Subject: RE: [Syslog] sequenceId and relaying > > On Wed, 2008-07-16 at 11:07 +0200, Rainer Gerhards wrote: > > Hi all, > > > > the intent is end-to-end. It got mangled during the "name wars" of > syslog application/sender/receiver/originator etc. To restore the > original meaning, we could do (during auth48 if there is consensus): > > > > ### > > The "sequenceId" parameter tracks the sequence in which the > ***originator*** submits > > ### > > > > Anything beyond this is for the next version. I violently object any > change that brings us out of the RFC editor publishing queue after we > have finally reached this state after years and years... I say this > even though I tend to agree to Bazsi on many points. > > This is ok for me at this point of time, I'll act accordingly. > > However I see some ambiguities with relays and how relays are permitted > to change messages, especially with syslog-sign in mind. That comes at no wonder, have a look at A.1: #### RFC 3164 describes relay behavior. This document does not specify relay behavior. This might be done in a separate document. #### So details of relay operations are not covered by intension. After the "name war", this has become a bit hard to grasp because the word relay is all over the document. But a more prominent statement of non-applicability was prevented by the "precise vs. imprecise spec war" roughly two years before that. All of this is reasoning for not touching anything right now. If we touch once again, we'll most probably blow the whole effort. I, at least, am not prepared to invest any time more into that same thing without seeing any progress. (I am open to discussion, though, on something that may later become the text defining relay operations). Rainer _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 16 05:45:57 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 671293A6BA8; Wed, 16 Jul 2008 05:45:57 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36A2E3A6ADD for ; Wed, 16 Jul 2008 05:45:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.483 X-Spam-Level: X-Spam-Status: No, score=-2.483 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq-BrCpQsZrc for ; Wed, 16 Jul 2008 05:45:50 -0700 (PDT) Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by core3.amsl.com (Postfix) with ESMTP id D7B3D3A6BA9 for ; Wed, 16 Jul 2008 05:45:50 -0700 (PDT) Received: from OMTA09.emeryville.ca.mail.comcast.net ([76.96.30.20]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id qbBG1Z00W0S2fkCA5cmL05; Wed, 16 Jul 2008 12:46:20 +0000 Received: from Harrington73653 ([24.128.66.199]) by OMTA09.emeryville.ca.mail.comcast.net with comcast id qcmH1Z0054HwxpC8VcmJwl; Wed, 16 Jul 2008 12:46:20 +0000 X-Authority-Analysis: v=1.0 c=1 a=tVnIcDK3MZzDDp2itNwA:9 a=bT98d9gR5lzEF3tGnBIA:9 a=kZsg51TRofCG_WtkJf1d4-Q9GiwA:4 a=si9q_4b84H0A:10 a=hPjdaMEvmhQA:10 a=50e4U0PicR4A:10 From: "David Harrington" To: "'Rainer Gerhards'" , "'Balazs Scheidler'" , "'Chris Lonvick'" References: <1216136512.14605.36.camel@bzorp.balabit><1216197522.7409.12.camel@bzorp.balabit> <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> Date: Wed, 16 Jul 2008 08:46:17 -0400 Message-ID: <004801c8e741$f21ce6d0$0600a8c0@china.huawei.com> MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Thread-Index: AcjnH2L8Tp0k0JCyS/aWOWbPjDSx1QAA2yegAAeuBTA= Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Hi, Chris and I believe the following change accurately represents consensus of the WG intent. Rainer, can you make that change during auth48? > ### > The "sequenceId" parameter tracks the sequence in which the > ***originator*** submits > ### David Harrington dbharrington@comcast.net ietfdbh@comcast.net dharrington@huawei.com _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 16 05:52:18 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 39E1C3A69BE; Wed, 16 Jul 2008 05:52:18 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55F323A69AE for ; Wed, 16 Jul 2008 05:52:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Va4tOokrNsza for ; Wed, 16 Jul 2008 05:52:15 -0700 (PDT) Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 781583A6909 for ; Wed, 16 Jul 2008 05:52:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 4FE387AE9AD; Wed, 16 Jul 2008 14:48:53 +0200 (CEST) Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khAovgMQxRxV; Wed, 16 Jul 2008 14:48:53 +0200 (CEST) Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 1388F7AC99A; Wed, 16 Jul 2008 14:48:53 +0200 (CEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 16 Jul 2008 14:52:37 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA44EDEB@grfint2.intern.adiscon.com> In-Reply-To: <004801c8e741$f21ce6d0$0600a8c0@china.huawei.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] sequenceId and relaying Thread-Index: AcjnH2L8Tp0k0JCyS/aWOWbPjDSx1QAA2yegAAeuBTAAAFHz0A== References: <1216136512.14605.36.camel@bzorp.balabit><1216197522.7409.12.camel@bzorp.balabit> <577465F99B41C842AAFBE9ED71E70ABA44EDE8@grfint2.intern.adiscon.com> <004801c8e741$f21ce6d0$0600a8c0@china.huawei.com> From: "Rainer Gerhards" To: "David Harrington" , "Balazs Scheidler" , "Chris Lonvick" Cc: syslog@ietf.org Subject: Re: [Syslog] sequenceId and relaying X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Sure, noted. Rainer > -----Original Message----- > From: David Harrington [mailto:ietfdbh@comcast.net] > Sent: Wednesday, July 16, 2008 2:46 PM > To: Rainer Gerhards; 'Balazs Scheidler'; 'Chris Lonvick' > Cc: syslog@ietf.org > Subject: RE: [Syslog] sequenceId and relaying > > Hi, > > Chris and I believe the following change accurately represents > consensus of the WG intent. > Rainer, can you make that change during auth48? > > > ### > > The "sequenceId" parameter tracks the sequence in which the > > ***originator*** submits > > ### > > David Harrington > dbharrington@comcast.net > ietfdbh@comcast.net > dharrington@huawei.com > _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 16 07:21:22 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA53C3A6928; Wed, 16 Jul 2008 07:21:22 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 060A43A6928 for ; Wed, 16 Jul 2008 07:21:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kUDAu5iWh3gf for ; Wed, 16 Jul 2008 07:21:20 -0700 (PDT) Received: from mk-outboundfilter-1.mail.uk.tiscali.com (mk-outboundfilter-1.mail.uk.tiscali.com [212.74.114.37]) by core3.amsl.com (Postfix) with ESMTP id E5ABE3A679F for ; Wed, 16 Jul 2008 07:21:19 -0700 (PDT) X-Trace: 145979508/mk-outboundfilter-1.mail.uk.tiscali.com/PIPEX/$PIPEX-ACCEPTED/pipex-customers/62.188.136.45 X-SBRS: None X-RemoteIP: 62.188.136.45 X-IP-MAIL-FROM: cfinss@dial.pipex.com X-IP-BHB: Once X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AtAEALyffUg+vIgt/2dsb2JhbACDXDaHTKUZAw X-IronPort-AV: E=Sophos;i="4.30,373,1212361200"; d="scan'208";a="145979508" X-IP-Direction: IN Received: from 1cust45.tnt7.lnd4.gbr.da.uu.net (HELO allison) ([62.188.136.45]) by smtp.pipex.tiscali.co.uk with SMTP; 16 Jul 2008 15:21:45 +0100 Message-ID: <01fd01c8e746$15cc59e0$0601a8c0@allison> From: "tom.petch" To: "Chris Lonvick" , "syslog" References: Date: Wed, 16 Jul 2008 15:11:21 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: [Syslog] Please review draft-ietf-syslog-transport-tls X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "tom.petch" List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Looks ok. Some editorial suggestions a} /SubjectAltName field/subjectAltName extension/ twice b} /ipAddress/iPAddress/ once c} PKI; expand the acronym on first use d} s5.1 need only refer to 4.2.2 not 4.2.1 e} " SerialNumber portion of the Subject Distinguished Name" I do not know what this; serialNumber of type X520SerialNumber? f} s5.5 should reference 5.3 and 5.4 not 5.2 g} s7.1, cross reference to s4.1 for the port number definition h} Should we add a reference for SHA-1? I would not bother for a pkix document, but for one aimed at network management, I think we should. [RFC 3174] Tom Petch ----- Original Message ----- From: "Chris Lonvick" To: Sent: Friday, June 20, 2008 3:46 PM Subject: [Syslog] Please review draft-ietf-syslog-transport-tls > Hi Folks, > > We're getting very close on this. Can we get some people to look it over > and let us know what you think? > > If you look it over and agree with the changes, we need some "I'm OK with > this" and "me too" responses. :-) > > For your convenience, the IETF tools people have provided a way to easily > see the diffs from the last version here: > http://tools.ietf.org/wg/syslog/draft-ietf-syslog-transport-tls/ > > Thanks, > Chris & David > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From MAILER-DAEMON Fri Jul 18 10:50:39 2008 Return-Path: <> X-Original-To: ietfarch-syslog-archive@core3.amsl.com Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C37A3A6B4A for ; Fri, 18 Jul 2008 10:50:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.547 X-Spam-Level: * X-Spam-Status: No, score=1.547 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_HOST_EQ_D_D_D_D=0.765, GB_I_LETTER=-2, HTML_EXTRA_CLOSE=2.809, HTML_FONT_SIZE_HUGE=0.057, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RDNS_DYNAMIC=0.1, SARE_UNI=0.591] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKKwNQaHIhwX for ; Fri, 18 Jul 2008 10:50:38 -0700 (PDT) Received: from nycemail2.nyceonline.net (ip67-153-85-83.z85-153-67.customer.algx.net [67.153.85.83]) by core3.amsl.com (Postfix) with ESMTP id 8B4443A6AF1 for ; Fri, 18 Jul 2008 10:50:38 -0700 (PDT) From: postmaster@nyceonline.net To: syslog-archive@lists.ietf.org Date: Fri, 18 Jul 2008 13:51:11 -0400 MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01C8E42A833E54DE001171F3nycemail2.nyceon" X-DSNContext: 335a7efd - 4523 - 00000001 - 80040546 Message-ID: Subject: Delivery Status Notification (Failure) This is a MIME-formatted message. Portions of this message may be unreadable without a MIME-capable mail program. --9B095B5ADSN=_01C8E42A833E54DE001171F3nycemail2.nyceon Content-Type: text/plain; charset=unicode-1-1-utf-7 This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed. syslm@nyceonline.net --9B095B5ADSN=_01C8E42A833E54DE001171F3nycemail2.nyceon Content-Type: message/delivery-status Reporting-MTA: dns;nycemail2.nyceonline.net Received-From-MTA: dns;secundario Arrival-Date: Fri, 18 Jul 2008 13:51:11 -0400 Final-Recipient: rfc822;syslm@nyceonline.net Action: failed Status: 5.1.1 --9B095B5ADSN=_01C8E42A833E54DE001171F3nycemail2.nyceon Content-Type: message/rfc822 Received: from secundario ([83.33.27.189]) by nycemail2.nyceonline.net with Microsoft SMTPSVC(6.0.3790.3959); Fri, 18 Jul 2008 13:51:11 -0400 Content-Return: allowed X-Mailer: CME-V6.5.4.3; MSN Return-Path: communications_msn_cs_enus@cimail15.msn.com Message-Id: <20080718085106.3857.qmail@secundario> To: Subject: Free Video From: MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 Jul 2008 17:51:11.0408 (UTC) FILETIME=[DD699300:01C8E8FE] Date: 18 Jul 2008 13:51:11 -0400
Free Video Nude Anjelia Jolie

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
--9B095B5ADSN=_01C8E42A833E54DE001171F3nycemail2.nyceon-- From syslog-bounces@ietf.org Tue Jul 22 05:47:08 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 04CA83A69E4; Tue, 22 Jul 2008 05:47:08 -0700 (PDT) X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 30) id 773233A69A9; Tue, 22 Jul 2008 05:47:05 -0700 (PDT) X-idtracker: yes To: IETF-Announce From: The IESG Message-Id: <20080722124705.773233A69A9@core3.amsl.com> Date: Tue, 22 Jul 2008 05:47:05 -0700 (PDT) Cc: syslog@ietf.org Subject: [Syslog] Last Call: draft-ietf-syslog-transport-tls (TLS Transport Mapping for Syslog) to Proposed Standard X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ietf@ietf.org List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org The IESG has received a request from the Security Issues in Network Event Logging WG (syslog) to consider the following document: - 'TLS Transport Mapping for Syslog ' as a Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2008-08-05. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-13.txt IESG discussion can be tracked via https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=14551&rfc_flag=0 _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Tue Jul 22 07:30:01 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7433A695D; Tue, 22 Jul 2008 07:30:01 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B86643A6A58 for ; Tue, 22 Jul 2008 07:30:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQhrYP5DeWsy for ; Tue, 22 Jul 2008 07:29:59 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id B44563A695D for ; Tue, 22 Jul 2008 07:29:59 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,231,1215388800"; d="scan'208";a="56045240" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-1.cisco.com with ESMTP; 22 Jul 2008 14:30:41 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m6MEUfYQ004948 for ; Tue, 22 Jul 2008 07:30:41 -0700 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.20.39]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m6MEUe81008589 for ; Tue, 22 Jul 2008 14:30:40 GMT Date: Tue, 22 Jul 2008 07:30:40 -0700 (PDT) From: Chris Lonvick To: syslog@ietf.org Message-ID: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1883; t=1216737041; x=1217601041; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20 |Subject:=20[Syslog]=20Last=20Call=3A=20draft-ietf-syslog-t ransport-tls=20(TLS=20Transport=0A=20Mapping=20for=20Syslog) =20to=20Proposed=20Standard=20(fwd) |Sender:=20; bh=ld9jdFdUsJx42thjVpt7qHh6blpzuhsfvBTAYKqgqGE=; b=uUEbOQM9R/g3w0y433eTp/1d+87ilCSE9dKAYSRZENgpaXkb5zqtUVRugA q8MswEPANqfznnT+o0qzObqblLf2dAkqqa1ORRyc3WDgGzyrL6qRQ3IQoEIV Be9Tjf5SlC; Authentication-Results: sj-dkim-2; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; ); Subject: [Syslog] Last Call: draft-ietf-syslog-transport-tls (TLS Transport Mapping for Syslog) to Proposed Standard (fwd) X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Hi Folks, Pasi has reviewed the document and looked over the WG review comments. He feels that the document is ready for IETF Last Call and will treat the WG comments already posted as Last Call comments. The next IESG telechat (where the IESG talks about turning IDs into RFCs) is August 14th. Pasi Eronen (our Advisor) is looking over draft-ietf-syslog-sign and will give us comments about it before he goes to the next IETF meeting in Dublin. He knows about the discussion of reusing the certificates defined in syslog-transport-tls. Thanks, Chris ---------- Forwarded message ---------- Date: Tue, 22 Jul 2008 05:47:05 -0700 (PDT) From: The IESG Reply-To: ietf@ietf.org To: IETF-Announce Cc: syslog@ietf.org Subject: [Syslog] Last Call: draft-ietf-syslog-transport-tls (TLS Transport Mapping for Syslog) to Proposed Standard The IESG has received a request from the Security Issues in Network Event Logging WG (syslog) to consider the following document: - 'TLS Transport Mapping for Syslog ' as a Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2008-08-05. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. The file can be obtained via http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-13.txt IESG discussion can be tracked via https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=14551&rfc_flag=0 _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From adel@fujitsu.com Wed Jul 23 03:37:15 2008 Return-Path: X-Original-To: ietfarch-syslog-archive@core3.amsl.com Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74BF23A6849 for ; Wed, 23 Jul 2008 03:37:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.225 X-Spam-Level: X-Spam-Status: No, score=-0.225 tagged_above=-999 required=5 tests=[BAYES_99=3.5, FB_CASINO=10.357, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HTML_MESSAGE=0.001, MANGLED_CASINO=2.3, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_SORBS_WEB=0.619, RDNS_DYNAMIC=0.1, SARE_OBFU_CASINO_SUB=1.028, URIBL_AB_SURBL=10, URIBL_BLACK=20, URIBL_JP_SURBL=10, URIBL_OB_SURBL=10, URIBL_RHS_DOB=1.083, URIBL_SBL=20, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wLTpOcc4rAKJ for ; Wed, 23 Jul 2008 03:37:14 -0700 (PDT) Received: from lan-78-157-82-15.vln.skynet.lt (lan-78-157-82-15.vln.skynet.lt [78.157.82.15]) by core3.amsl.com (Postfix) with ESMTP id 5265E3A680C for ; Wed, 23 Jul 2008 03:37:13 -0700 (PDT) Date: Wed, 23 Jul 2008 08:45:43 +0000 Message-ID: <11818.adel@sherri> From: "arley quimby" To: Subject: Learning Cas1n0 Games at Home MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_85mCt3aq1bMwMj" This is a multi-part message in MIME format. --=_85mCt3aq1bMwMj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Join me and over 2.100.000 gamers playing the casino and receive 3OO = Euros free on your first deposit. --=_85mCt3aq1bMwMj Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Join me and over 2.100.000 = gamers playing the casino and receive 3OO Euros free on your first = deposit. --=_85mCt3aq1bMwMj-- From syslog-bounces@ietf.org Wed Jul 23 05:15:10 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D6E403A6A4F; Wed, 23 Jul 2008 05:15:10 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 530253A6A4F for ; Wed, 23 Jul 2008 05:15:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1MCXU1w0YYD5 for ; Wed, 23 Jul 2008 05:15:05 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id A73A03A680C for ; Wed, 23 Jul 2008 05:15:04 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCFCM3019912 for ; Wed, 23 Jul 2008 15:15:44 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:15:42 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:15:37 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:15:38 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF3F@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign AD evaluation Thread-Index: AcjsvdESCaia7utzQPmbcbW1ZNbAXg== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:15:37.0184 (UTC) FILETIME=[D08B8E00:01C8ECBD] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign AD evaluation X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Hi, Now that syslog-transport-tls has gone to IETF Last Call, I've finally started doing the AD evaluation for syslog-sign. In general, the document looks quite good. I've identified couple of non-trivial topics that I'd like to discuss with the WG, plus a number of minor, mostly editorial clarifications/comments. I'll send these in separate messages (to facilitate discussion) to the mailing list over the next couple of days. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:25:12 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A63FE3A69D9; Wed, 23 Jul 2008 05:25:12 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA4A73A69D9 for ; Wed, 23 Jul 2008 05:25:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsSKklKbCXhO for ; Wed, 23 Jul 2008 05:25:10 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id A84963A698B for ; Wed, 23 Jul 2008 05:25:09 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCPRAi030398 for ; Wed, 23 Jul 2008 15:25:38 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:25:37 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:25:29 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:25:31 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF58@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: RSA support? Thread-Index: AcjsvzKj5PL49RBgTgu6ixZSyT+SBg== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:25:29.0903 (UTC) FILETIME=[31D54BF0:01C8ECBF] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: RSA support? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org The specification supports only DSA, which means it can't be used with certificates most folks already have (or can most easily obtain from any CA). Was this an intentional design decision? If so, I'd like to hear some background for it... Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:26:23 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C0E83A696E; Wed, 23 Jul 2008 05:26:23 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC8B83A6817 for ; Wed, 23 Jul 2008 05:26:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1eiA2WIeTfg for ; Wed, 23 Jul 2008 05:26:21 -0700 (PDT) Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 579C13A67A7 for ; Wed, 23 Jul 2008 05:26:20 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCPT5x002456 for ; Wed, 23 Jul 2008 07:26:55 -0500 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:26:37 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:26:25 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:26:27 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF5C@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Overlapping signature blocks Thread-Index: Acjsv1Q/RLcdaAslQ3ukWvSEf3eS1A== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:26:26.0120 (UTC) FILETIME=[53575480:01C8ECBF] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Overlapping signature blocks X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org The document seems to assume that the message ranges covered by different Signature Blocks don't overlap -- is this intentional? (If it is, it should be explicitly mentioned.) (One obvious approach to redundancy would be to send Signature Blocks covering an overlapping "sliding window" of messages, instead of resending an identical signature block multiple times. But that would require allowing overlap.) Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:26:32 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5463A3A6AE9; Wed, 23 Jul 2008 05:26:32 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7411B3A6AED for ; Wed, 23 Jul 2008 05:26:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94SHGMXYqymB for ; Wed, 23 Jul 2008 05:26:30 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 1F7893A6ADF for ; Wed, 23 Jul 2008 05:26:28 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCQqZu014825 for ; Wed, 23 Jul 2008 15:27:06 +0300 Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:27:05 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:27:03 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:27:04 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Certificate chains? Thread-Index: Acjsv2pXl/jgOAv/TG2qDAfNSef2JA== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:27:03.0563 (UTC) FILETIME=[69A8ADB0:01C8ECBF] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Certificate chains? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Most IETF protocols that send certificates around support sending certificate chains, too. Should syslog-sign support this, too? If not, why? Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:37:27 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79CE328C0CF; Wed, 23 Jul 2008 05:37:27 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0367D3A6AD8 for ; Wed, 23 Jul 2008 05:37:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cB3tSMiMU-E for ; Wed, 23 Jul 2008 05:37:26 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id CA9E23A68CD for ; Wed, 23 Jul 2008 05:37:25 -0700 (PDT) Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCbofM025490 for ; Wed, 23 Jul 2008 15:38:06 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:37:42 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:37:34 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:37:37 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF6C@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Minor clarifications, part 1 Thread-Index: AcjswOOI9SGJ9LN1QeiqxFVdAkcUZQ== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:37:34.0931 (UTC) FILETIME=[E1FBCA30:01C8ECC0] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Minor clarifications, part 1 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Sections 4 and 5: The document is a bit vague on how the DSA signature is encoded in the Signature Block; it talks about "OpenPGP DSA" (which might mean the "two MPIs" encoding in RFC 4880), but this is different than the encoding used in most IETF protocols (DER encoding of SEQUENCE of two INTEGERs). Which one is it? Section 4.2.8 and 5.3.2.8: The text needs to be clearer about the exact data which is signed. Does this mean a complete SYSLOG-MSG (including MSG and other structured data after "ssign", if any), except that STRUCTURED-DATA does not yet contain the SIGN parameter (and the space separating it from the previous parameter)? Also, excluding spaces here seems really strange -- after all, they're included when calculating hashes -- and would seem to complicate implementation (also, it's not totally obvious what spaces exactly would be excluded). Section 4.2 and 5.3.2: Are the SD-PARAMs always in this order, or can they be in any order? Is it possible that some extension will later add new SD-PARAMs to these SD-IDs -- if so, how old implementations should handle them? Section 5.2, key blob type 'P': RFC 2440/4880 don't clearly define what an "OpenPGP certificate" is -- does this mean "Transferable Public Key" (RFC 4880 Section 11.1)? Section 5.2, key blob type 'K': what algorithm, encoded how? Section 5.3.2.*: are the various lengths/indexes referring to the raw data (before base64 encoding), or to the data that's actually sent (after base64 encoding)? Section 5.3.2.5: numbering the first octet "1" is highly unusual in IETF protocols -- if this is intentional, perhaps a note highlighting this would be useful. Section 6.1.1/6.1.2: I'm having some difficulties in understanding exactly how the delay/count parameters are supposed to be used. This text probably needs some clarification. Section 6.2: It wouldn't hurt to repeat the requirement that the payload block isn't changed. Section 8.5: Using TLS/TCP doesn't mean messages can't be lost (see syslog-transport-tls draft, Section 6.3, for details); perhaps should be pointed out here, too. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:40:14 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5EA23A6ADF; Wed, 23 Jul 2008 05:40:14 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DF9363A6ADF for ; Wed, 23 Jul 2008 05:40:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.599 X-Spam-Level: X-Spam-Status: No, score=-7.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vPQ7gZJsQ-u for ; Wed, 23 Jul 2008 05:40:13 -0700 (PDT) Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id CB3363A68CD for ; Wed, 23 Jul 2008 05:40:12 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCeE9w015940 for ; Wed, 23 Jul 2008 07:40:54 -0500 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:40:50 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:40:47 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:40:50 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF77@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Extending Hash/Signature Algorithm field Thread-Index: AcjswVaqTjm3HAsySoSgGxyXfxfFog== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:40:47.0770 (UTC) FILETIME=[54ECAFA0:01C8ECC1] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Extending Hash/Signature Algorithm field X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org The current NIST-approved hash functions would already consume >50% of the number space for hash algorithms (and we can expect more algorithms the hash algorithm competition). Thus, having a field with only 10 possible values doesn't sound too good (even if the protocol version field also allows some extensibility). If we e.g. allowed using letters as well, we'd have 62 possible values instead -- would that be a reasonable approach? Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 05:42:34 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 541DE3A6A4A; Wed, 23 Jul 2008 05:42:34 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3653B3A6A4A for ; Wed, 23 Jul 2008 05:42:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.67 X-Spam-Level: X-Spam-Status: No, score=-6.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVAxhTQ4WAmd for ; Wed, 23 Jul 2008 05:42:32 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 0AB123A69BA for ; Wed, 23 Jul 2008 05:42:31 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6NCgg8Y015756 for ; Wed, 23 Jul 2008 15:43:12 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:43:10 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jul 2008 15:42:59 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 23 Jul 2008 15:43:02 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720134FF7B@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Editorial nits, part 1 Thread-Index: AcjswaVGBFXHEfYSTAe0dPo+8Eu+AA== From: To: X-OriginalArrivalTime: 23 Jul 2008 12:42:59.0673 (UTC) FILETIME=[A38B7C90:01C8ECC1] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Editorial nits, part 1 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org >From idnits: There is 1 instance of too long lines in the document, the longest one being 19 characters in excess of 72. RFC 2434 has been obsoleted by RFC 5226 (which also slightly changes the names of the pre-defined policies). RFC 2440 has been obsoleted by RFC 4880. Using symbolic references like [RFC2119] instead of [11] would make the document more readable (the RFC Editor nowadays strongly recommends this, too). Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 09:27:33 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 062753A69B8; Wed, 23 Jul 2008 09:27:33 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 522323A6407 for ; Wed, 23 Jul 2008 09:27:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ips3XqfgHz3H for ; Wed, 23 Jul 2008 09:27:31 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by core3.amsl.com (Postfix) with ESMTP id A21983A635F for ; Wed, 23 Jul 2008 09:27:31 -0700 (PDT) Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id AA3281177D99; Wed, 23 Jul 2008 09:28:14 -0700 (PDT) Received: from [10.0.23.32] ([66.93.68.160]) by keys.merrymeet.com (PGP Universal service); Wed, 23 Jul 2008 09:28:12 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Wed, 23 Jul 2008 09:28:12 -0700 Message-Id: From: Jon Callas To: In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF5C@vaebe104.NOE.Nokia.com> Mime-Version: 1.0 (Apple Message framework v928.1) Date: Wed, 23 Jul 2008 09:28:16 -0700 References: <1696498986EFEC4D9153717DA325CB720134FF5C@vaebe104.NOE.Nokia.com> X-Mailer: Apple Mail (2.928.1) Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Overlapping signature blocks X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org On Jul 23, 2008, at 5:26 AM, wrote: > The document seems to assume that the message ranges covered by > different Signature Blocks don't overlap -- is this intentional? > (If it is, it should be explicitly mentioned.) > > (One obvious approach to redundancy would be to send Signature Blocks > covering an overlapping "sliding window" of messages, instead of > resending an identical signature block multiple times. But that > would require allowing overlap.) Overlap of sliding windows is a feature, not a bug. If anything, we should reverse the polarity on your comment and more explicitly mention its utility. Jon _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 09:29:02 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EFF6E3A69F4; Wed, 23 Jul 2008 09:29:01 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB5F93A69C5 for ; Wed, 23 Jul 2008 09:29:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qYNpdT5WwTF for ; Wed, 23 Jul 2008 09:29:01 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by core3.amsl.com (Postfix) with ESMTP id 156533A6407 for ; Wed, 23 Jul 2008 09:29:01 -0700 (PDT) Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id 6AE2A1177DFA; Wed, 23 Jul 2008 09:29:44 -0700 (PDT) Received: from [10.0.23.32] ([66.93.68.160]) by keys.merrymeet.com (PGP Universal service); Wed, 23 Jul 2008 09:29:42 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Wed, 23 Jul 2008 09:29:42 -0700 Message-Id: <69F1B7C8-A27C-4D3D-A88A-B90C18D7947D@callas.org> From: Jon Callas To: In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF77@vaebe104.NOE.Nokia.com> Mime-Version: 1.0 (Apple Message framework v928.1) Date: Wed, 23 Jul 2008 09:29:47 -0700 References: <1696498986EFEC4D9153717DA325CB720134FF77@vaebe104.NOE.Nokia.com> X-Mailer: Apple Mail (2.928.1) Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Extending Hash/Signature Algorithm field X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org On Jul 23, 2008, at 5:40 AM, wrote: > > The current NIST-approved hash functions would already consume >50% > of the number space for hash algorithms (and we can expect more > algorithms the hash algorithm competition). Thus, having a field > with only 10 possible values doesn't sound too good (even if the > protocol version field also allows some extensibility). > > If we e.g. allowed using letters as well, we'd have 62 possible > values instead -- would that be a reasonable approach? Yes. Jon _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 14:32:06 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 512133A68BC; Wed, 23 Jul 2008 14:32:06 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F84D3A68BC for ; Wed, 23 Jul 2008 14:32:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.532 X-Spam-Level: X-Spam-Status: No, score=-0.532 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_NUMERIC_HELO=2.067] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sfgf+X91a4E for ; Wed, 23 Jul 2008 14:32:04 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by core3.amsl.com (Postfix) with ESMTP id 625583A6887 for ; Wed, 23 Jul 2008 14:32:04 -0700 (PDT) Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id CEAB111797B1; Wed, 23 Jul 2008 14:32:47 -0700 (PDT) Received: from 203.23.240.10.in-addr.arpa ([208.54.95.20]) by keys.merrymeet.com (PGP Universal service); Wed, 23 Jul 2008 14:32:45 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Wed, 23 Jul 2008 14:32:45 -0700 Message-Id: <3E9E1070-3E11-4AA7-B8B3-DF8FA6DF8769@callas.org> From: Jon Callas To: In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> Mime-Version: 1.0 (Apple Message framework v928.1) Date: Wed, 23 Jul 2008 11:45:00 -0700 References: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> X-Mailer: Apple Mail (2.928.1) Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Certificate chains? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org On Jul 23, 2008, at 5:27 AM, wrote: > > Most IETF protocols that send certificates around support sending > certificate chains, too. Should syslog-sign support this, too? > If not, why? The model is for a more direct trust system where the certificate transfered is its own trust anchor. So if I am going to send you a log stream that I'll be signing with a certificate, I just send you the cert that I'm signing with. There's no need for a chain. Perhaps that cert descends from a formal CA and that may contain its own goodness, but it is not necessary. Jon _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Wed Jul 23 15:21:28 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AB00A3A6B10; Wed, 23 Jul 2008 15:21:28 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5F7A43A6B0B for ; Wed, 23 Jul 2008 15:21:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ou+n1z2Rqae1 for ; Wed, 23 Jul 2008 15:21:26 -0700 (PDT) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 899C63A6AEC for ; Wed, 23 Jul 2008 15:21:26 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.31,240,1215388800"; d="scan'208";a="56836010" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-1.cisco.com with ESMTP; 23 Jul 2008 22:22:10 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m6NMMAxb005382; Wed, 23 Jul 2008 15:22:10 -0700 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.20.39]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m6NMMAgd022642; Wed, 23 Jul 2008 22:22:10 GMT Date: Wed, 23 Jul 2008 15:22:09 -0700 (PDT) From: Chris Lonvick To: Jon Callas In-Reply-To: Message-ID: References: <1696498986EFEC4D9153717DA325CB720134FF5C@vaebe104.NOE.Nokia.com> MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=973; t=1216851730; x=1217715730; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20 |Subject:=20Re=3A=20[Syslog]=20Syslog-sign=3A=20Overlapping =20signature=20blocks |Sender:=20; bh=nWdBNpDvJ92oWMsE4gKg4LkEFBRpyIMLhY+U52l+7KU=; b=DRny0D4JlJcKQnrPNrHQZYGfMkbCW0qoKKJrrr6p2Mt8ntXj1avrSwN8+f JcxEfu7YMfcK1H/8SA+WMPq/sScBLIjcEY6yotTgN+IFR6EPo2nicYRUO/sE HZq+MirwIT; Authentication-Results: sj-dkim-2; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; ); Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Overlapping signature blocks X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Hi, On Wed, 23 Jul 2008, Jon Callas wrote: > > On Jul 23, 2008, at 5:26 AM, > wrote: > >> The document seems to assume that the message ranges covered by >> different Signature Blocks don't overlap -- is this intentional? >> (If it is, it should be explicitly mentioned.) >> >> (One obvious approach to redundancy would be to send Signature Blocks >> covering an overlapping "sliding window" of messages, instead of >> resending an identical signature block multiple times. But that >> would require allowing overlap.) > > Overlap of sliding windows is a feature, not a bug. If anything, we should > reverse the polarity on your comment and more explicitly mention its utility. Agreed. I found this email which discusses the concept. http://www.mail-archive.com/syslog-sec@employees.org/msg00772.html I did re-read the ID and found that the concept is not clearly stated. Thanks, Chris _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 01:34:21 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3C143A6967; Thu, 24 Jul 2008 01:34:21 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C2CD93A68BC for ; Thu, 24 Jul 2008 01:34:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.658 X-Spam-Level: X-Spam-Status: No, score=-6.658 tagged_above=-999 required=5 tests=[AWL=-0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJQ9vlemvJr0 for ; Thu, 24 Jul 2008 01:34:20 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id C4D083A67CF for ; Thu, 24 Jul 2008 01:34:19 -0700 (PDT) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6O8YXgx003042; Thu, 24 Jul 2008 11:34:52 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 11:34:49 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 11:34:48 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 11:33:46 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB7201350200@vaebe104.NOE.Nokia.com> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] Syslog-sign: Overlapping signature blocks Thread-Index: Acjs4ShbwcwSHqOyRa65GMOdCJS5nQAhZ26w References: <1696498986EFEC4D9153717DA325CB720134FF5C@vaebe104.NOE.Nokia.com> From: To: X-OriginalArrivalTime: 24 Jul 2008 08:34:48.0700 (UTC) FILETIME=[223F13C0:01C8ED68] X-Nokia-AV: Clean Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Overlapping signature blocks X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Jon Callas wrote: > Overlap of sliding windows is a feature, not a bug. If anything, we > should reverse the polarity on your comment and more explicitly > mention its utility. I asked about this because some parts of the draft need small changes if overlapping sliding windows are allowed (and I agree that they could be useful). In particular, Sections 7.1 and 7.2 seem to assume no overlap. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:18:27 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 421753A6967; Thu, 24 Jul 2008 03:18:27 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86DFA3A6967 for ; Thu, 24 Jul 2008 03:18:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.655 X-Spam-Level: X-Spam-Status: No, score=-6.655 tagged_above=-999 required=5 tests=[AWL=-0.056, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktupHRU3p2Yx for ; Thu, 24 Jul 2008 03:18:25 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 7B5F03A693B for ; Thu, 24 Jul 2008 03:18:25 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6OAIro9024485 for ; Thu, 24 Jul 2008 13:19:07 +0300 Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:18:52 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:18:50 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 13:17:37 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB72013502D1@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Example? Thread-Index: Acjtdn8k2zXQh1LZQNi7m5fIq1vs/w== From: To: X-OriginalArrivalTime: 24 Jul 2008 10:18:50.0413 (UTC) FILETIME=[AA98E5D0:01C8ED76] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Example? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Some parts of the document are a bit difficult to follow because there aren't any examples. I think the readability would be significantly improved if e.g. Sections 4 and 5 had an example showing couple of syslog messages and corresponding Signature and Certificate Blocks. (If there are existing implementations, presumably an example would be simple to generate.) Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:37:17 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A3523A67A4; Thu, 24 Jul 2008 03:37:17 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C18053A659B for ; Thu, 24 Jul 2008 03:37:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.652 X-Spam-Level: X-Spam-Status: No, score=-6.652 tagged_above=-999 required=5 tests=[AWL=-0.053, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efcPPvTtOUJy for ; Thu, 24 Jul 2008 03:37:16 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id B57543A67A4 for ; Thu, 24 Jul 2008 03:37:15 -0700 (PDT) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6OAbusC010533 for ; Thu, 24 Jul 2008 13:37:57 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:37:56 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:37:54 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 13:36:41 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB72013502F1@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Multiple signers on host? Thread-Index: AcjteSjB1DYplmmeSVeeV9bcr/aVjQ== From: To: X-OriginalArrivalTime: 24 Jul 2008 10:37:54.0542 (UTC) FILETIME=[548D20E0:01C8ED79] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Multiple signers on host? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org In some places, the draft seems to assume the "traditional Unix model" where a host has a single "syslog daemon", which receives messages from applications via IPC, and sends them to relays/collectors using the syslog protocol (and signs them). This of course isn't the case in all systems; e.g. if I configure Apache Tomcat on Windows to send messages to a remote syslog collector, it does so directly (not going via any central syslog daemon). If there are multiple syslog signers on the same host, the assumption (in Section 3) that "the signature and certificate data do not need to include an additional parameter to identify the machine that orginates the message" is no longer 100% accurate. While HOSTNAME identifies the host, to figure out which Certificate Block messages belong together, and which Payload Block applies to which Signature Block, it seems additional information could be needed in some situations? (unless you try all combinations by brute force) There might be many different ways to solve this problem; one semi-obvious one would be to include the hash of the Payload Block in all Certificate Block and Signature Block messages. Or perhaps it should be some kind of session identifier, similar to reboot session ID, except not monotonically increasing? (This could be e.g. hash of payload block, process ID of the process doing the signing, the local time the process was started, and similar things likely to result in unique string.) Or maybe something else? Are the APP-NAME/PROCID of any use here? Section 4.2.2 (about the reboot session ID) also assumes a central syslog process that's tightly coupled with host reboots -- it should be described in terms that make sense in other models, too. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:39:15 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A2F4F3A67DA; Thu, 24 Jul 2008 03:39:15 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09FDF3A67A4 for ; Thu, 24 Jul 2008 03:39:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.649 X-Spam-Level: X-Spam-Status: No, score=-6.649 tagged_above=-999 required=5 tests=[AWL=-0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeDdeBc+Yzpb for ; Thu, 24 Jul 2008 03:39:14 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id 177E13A67DA for ; Thu, 24 Jul 2008 03:39:13 -0700 (PDT) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6OAdXWK012022 for ; Thu, 24 Jul 2008 13:39:56 +0300 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:39:43 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:39:38 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 13:38:24 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB72013502F7@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Verifying certificate Thread-Index: AcjteWZIDcKWT+v7SRGid8kH95wmlQ== From: To: X-OriginalArrivalTime: 24 Jul 2008 10:39:38.0242 (UTC) FILETIME=[925C7E20:01C8ED79] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Verifying certificate X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Currently, Section 8.9 simply says that "Network administrators need to verify that the key contained in the Payload Block is indeed the key being used on the actual originator." I think something more is needed to get interoperable implementations. E.g., in syslog-transport-tls, there's text talking about configuration of trust anchors, certification path validation, and matching subject names against some preconfigured values (although here matching against HOSTNAME could be possible, too). If this draft is intended to be used without real PKI (as Jon Callas's mail yesterday suggested), then something resembling the fingerprint mechanism -- or at least some description of how things are supposed to work -- could be needed, too. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:41:12 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A7823A681A; Thu, 24 Jul 2008 03:41:12 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 686D43A67DA for ; Thu, 24 Jul 2008 03:41:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.647 X-Spam-Level: X-Spam-Status: No, score=-6.647 tagged_above=-999 required=5 tests=[AWL=-0.048, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WK3s7OFeZP67 for ; Thu, 24 Jul 2008 03:41:10 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 317A93A688C for ; Thu, 24 Jul 2008 03:41:10 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6OAfVim011804 for ; Thu, 24 Jul 2008 13:41:52 +0300 Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:41:48 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:41:41 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 13:40:27 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB7201350302@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Minor clarifications, part 2 Thread-Index: Acjtea/vksrVzquhRvKIK2gAcEvx2w== From: To: X-OriginalArrivalTime: 24 Jul 2008 10:41:41.0813 (UTC) FILETIME=[DC03EE50:01C8ED79] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Minor clarifications, part 2 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Is it possible to sign the same set of messages with multiple algorithms (by sending multiple Payload and Signature Blocks) to provide smooth algorithm transition? (i.e., if the originator is upgraded first, it would sign the messages both with old and new algorithm -- using the old algorithm could be switched off some time after then collector is upgraded, too.) Section 4.2.5: When counting messages for the "First Message Number" field, are Signature Blocks and Certificate Blocks also counted? Should earlier Signature Block and/or Certificate Block messages be included in Hash Blocks? Section 7: the text seems to assume that Reboot Session ID is included; what about the case when originator does not maintain state across reboots? (always sends Reboot Session ID 0) Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:41:26 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A652E3A6971; Thu, 24 Jul 2008 03:41:26 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36FEE3A6971 for ; Thu, 24 Jul 2008 03:41:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.644 X-Spam-Level: X-Spam-Status: No, score=-6.644 tagged_above=-999 required=5 tests=[AWL=-0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsH1nfB7OxcW for ; Thu, 24 Jul 2008 03:41:24 -0700 (PDT) Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id F2D233A6947 for ; Thu, 24 Jul 2008 03:41:23 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx06.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6OAfqSC014124 for ; Thu, 24 Jul 2008 13:42:06 +0300 Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:42:04 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 24 Jul 2008 13:41:58 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 13:40:44 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB720135030A@vaebe104.NOE.Nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign: Editorial nits, part 2 Thread-Index: Acjtebn3Ju70v1sPSlKGXULEa6UOiA== From: To: X-OriginalArrivalTime: 24 Jul 2008 10:41:58.0640 (UTC) FILETIME=[E60B8700:01C8ED79] X-Nokia-AV: Clean Subject: [Syslog] Syslog-sign: Editorial nits, part 2 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Needs a reference to RFC 5280 (for PKIX certificates). It seems references [3] (NIST SP 800-90) and [6] (RFC 3414) could be informative references instead of normative. Reference [11] (RFC 2119) needs to be normative. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Thu Jul 24 03:49:03 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5FBA3A67DA; Thu, 24 Jul 2008 03:49:02 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A0493A681A for ; Thu, 24 Jul 2008 03:49:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOJJpxwMSGYL for ; Thu, 24 Jul 2008 03:49:00 -0700 (PDT) Received: from mailin.adiscon.com (hetzner.adiscon.com [85.10.198.18]) by core3.amsl.com (Postfix) with ESMTP id 356653A659B for ; Thu, 24 Jul 2008 03:49:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailin.adiscon.com (Postfix) with ESMTP id 9758F7AED43; Thu, 24 Jul 2008 12:46:27 +0200 (CEST) Received: from mailin.adiscon.com ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VAfcSR+kF3K; Thu, 24 Jul 2008 12:46:27 +0200 (CEST) Received: from grfint2.intern.adiscon.com (p50989a7c.dip0.t-ipconnect.de [80.152.154.124]) by mailin.adiscon.com (Postfix) with ESMTP id 643BC7AED33; Thu, 24 Jul 2008 12:46:27 +0200 (CEST) Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Thu, 24 Jul 2008 12:49:42 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA44EE93@grfint2.intern.adiscon.com> In-Reply-To: <3E9E1070-3E11-4AA7-B8B3-DF8FA6DF8769@callas.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] Syslog-sign: Certificate chains? Thread-Index: AcjtC6+M/TXKX0meSIiBpHVB7cfh8gAbsQDA References: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> <3E9E1070-3E11-4AA7-B8B3-DF8FA6DF8769@callas.org> From: "Rainer Gerhards" To: "Jon Callas" Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: Certificate chains? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org I think the core point is that trust models in -sign and -transport-TLS are quite different. At least, I think, it would be useful to provide a mapping between the two. Rainer > -----Original Message----- > From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On > Behalf Of Jon Callas > Sent: Wednesday, July 23, 2008 8:45 PM > To: > Cc: syslog@ietf.org > Subject: Re: [Syslog] Syslog-sign: Certificate chains? > > > On Jul 23, 2008, at 5:27 AM, > > wrote: > > > > > Most IETF protocols that send certificates around support sending > > certificate chains, too. Should syslog-sign support this, too? > > If not, why? > > The model is for a more direct trust system where the certificate > transfered is its own trust anchor. So if I am going to send you a log > stream that I'll be signing with a certificate, I just send you the > cert that I'm signing with. There's no need for a chain. Perhaps that > cert descends from a formal CA and that may contain its own goodness, > but it is not necessary. > > Jon > > > _______________________________________________ > Syslog mailing list > Syslog@ietf.org > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Sun Jul 27 03:48:19 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C37833A6918; Sun, 27 Jul 2008 03:48:19 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70D583A68DA for ; Sun, 27 Jul 2008 03:48:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.465 X-Spam-Level: X-Spam-Status: No, score=0.465 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GLb24bWVdjyp for ; Sun, 27 Jul 2008 03:48:17 -0700 (PDT) Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id 528623A68D9 for ; Sun, 27 Jul 2008 03:48:17 -0700 (PDT) Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id E13661359E0 for ; Sun, 27 Jul 2008 12:48:21 +0200 (CEST) X-Virus-Scanned: on mail at asta.uni-potsdam.de Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id fyJ8cDM5hIQb for ; Sun, 27 Jul 2008 12:48:10 +0200 (CEST) Received: from cordelia.mschuette.name (BAA16ac.baa.pppool.de [77.128.22.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id A1587135729 for ; Sun, 27 Jul 2008 12:48:09 +0200 (CEST) Message-ID: <488C5270.3010403@mschuette.name> Date: Sun, 27 Jul 2008 12:48:16 +0200 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Thunderbird 2.0.0.14 (X11/20080511) MIME-Version: 1.0 To: syslog@ietf.org References: <1696498986EFEC4D9153717DA325CB720134FF58@vaebe104.NOE.Nokia.com> In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF58@vaebe104.NOE.Nokia.com> Subject: Re: [Syslog] Syslog-sign: RSA support? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Pasi.Eronen@nokia.com schrieb: > The specification supports only DSA, which means it can't be used with > certificates most folks already have (or can most easily obtain from > any CA). Was this an intentional design decision? If so, I'd like to > hear some background for it... The DSS (FIPS 186-2, http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf) consists of three signature algorithms and covers DSA, RSA and ECDSA. I would suggest to use these three for syslog-sign. -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Sun Jul 27 03:51:13 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 91EE73A68B7; Sun, 27 Jul 2008 03:51:13 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55B0E3A68B7 for ; Sun, 27 Jul 2008 03:51:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.002 X-Spam-Level: X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[AWL=0.463, BAYES_05=-1.11, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kENxJUtKRfCr for ; Sun, 27 Jul 2008 03:51:11 -0700 (PDT) Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id 7A6873A67E5 for ; Sun, 27 Jul 2008 03:51:11 -0700 (PDT) Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 38C58135D67 for ; Sun, 27 Jul 2008 12:51:17 +0200 (CEST) X-Virus-Scanned: on mail at asta.uni-potsdam.de Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id YiIeemnZokZK for ; Sun, 27 Jul 2008 12:50:55 +0200 (CEST) Received: from cordelia.mschuette.name (BAA16ac.baa.pppool.de [77.128.22.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 2F322135D97 for ; Sun, 27 Jul 2008 12:50:25 +0200 (CEST) Message-ID: <488C52F8.5010504@mschuette.name> Date: Sun, 27 Jul 2008 12:50:32 +0200 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Thunderbird 2.0.0.14 (X11/20080511) MIME-Version: 1.0 To: syslog@ietf.org References: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> Subject: Re: [Syslog] Syslog-sign: Certificate chains? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Pasi.Eronen@nokia.com schrieb: > Most IETF protocols that send certificates around support sending > certificate chains, too. Should syslog-sign support this, too? > If not, why? As Jon said it is not required for the signing as such. But both PKIX and OpenPGP keys can be signed and users might have a security policy to verify the keys used for signing. To encourage this in verification tools we could suggest a key verification in Section 7 (Efficient Verification of Logs) or Section 8.9 (Man In The Middle Attacks). -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Sun Jul 27 03:57:46 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E4173A6902; Sun, 27 Jul 2008 03:57:46 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BD413A68B7 for ; Sun, 27 Jul 2008 03:57:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.973 X-Spam-Level: X-Spam-Status: No, score=-0.973 tagged_above=-999 required=5 tests=[AWL=0.976, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUSt82JPXa+S for ; Sun, 27 Jul 2008 03:57:44 -0700 (PDT) Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id 5D2D63A67E5 for ; Sun, 27 Jul 2008 03:57:44 -0700 (PDT) Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 7C9EE135DD2 for ; Sun, 27 Jul 2008 12:51:17 +0200 (CEST) X-Virus-Scanned: on mail at asta.uni-potsdam.de Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id bv1TvUm8EVgc for ; Sun, 27 Jul 2008 12:50:56 +0200 (CEST) Received: from cordelia.mschuette.name (BAA16ac.baa.pppool.de [77.128.22.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id EEB14135729 for ; Sun, 27 Jul 2008 12:50:47 +0200 (CEST) Message-ID: <488C530F.3090101@mschuette.name> Date: Sun, 27 Jul 2008 12:50:55 +0200 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Thunderbird 2.0.0.14 (X11/20080511) MIME-Version: 1.0 To: syslog@ietf.org References: <1696498986EFEC4D9153717DA325CB72013502F1@vaebe104.NOE.Nokia.com> In-Reply-To: <1696498986EFEC4D9153717DA325CB72013502F1@vaebe104.NOE.Nokia.com> Subject: Re: [Syslog] Syslog-sign: Multiple signers on host? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Pasi.Eronen@nokia.com schrieb: > Or maybe something else? Are the APP-NAME/PROCID > of any use here? IMHO the easiest solution would be a requirement for every sender to provide APP-NAME/PROCID information. Then every originator is determined by the triple (HOSTNAME, APP-NAME, PROCID) and every signature group by (HOSTNAME, APP-NAME, PROCID, SG, SPRI). > Section 4.2.2 (about the reboot session ID) also assumes a central > syslog process that's tightly coupled with host reboots -- it should > be described in terms that make sense in other models, too. Is it acceptable to use the time(), i.e. seconds since the epoch, as a reboot session ID? This does "increase whenever an originator reboots" even without the need "to retain the previous Reboot Session ID across reboots" and without any relation to host reboots. -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Sun Jul 27 06:47:08 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E733B3A6830; Sun, 27 Jul 2008 06:47:07 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1F77A3A6918 for ; Sun, 27 Jul 2008 06:47:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.298 X-Spam-Level: X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[AWL=0.651, BAYES_00=-2.599, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwM+0dbX-tfe for ; Sun, 27 Jul 2008 06:47:05 -0700 (PDT) Received: from mail.asta.uni-potsdam.de (mail.asta.uni-potsdam.de [141.89.58.198]) by core3.amsl.com (Postfix) with ESMTP id BD4143A6830 for ; Sun, 27 Jul 2008 06:47:04 -0700 (PDT) Received: from localhost (mail.asta.uni-potsdam.de [141.89.58.198]) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id 3DC24135E20 for ; Sun, 27 Jul 2008 15:47:10 +0200 (CEST) X-Virus-Scanned: on mail at asta.uni-potsdam.de Received: from mail.asta.uni-potsdam.de ([141.89.58.198]) by localhost (mail.asta.uni-potsdam.de [141.89.58.198]) (amavisd-new, port 10024) with ESMTP id pALcX6lFz8BZ for ; Sun, 27 Jul 2008 15:46:58 +0200 (CEST) Received: from cordelia.mschuette.name (BAA16ac.baa.pppool.de [77.128.22.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Martin Schuette", Issuer "AStA-CA" (verified OK)) by mail.asta.uni-potsdam.de (Postfix) with ESMTP id D33D1135E1D for ; Sun, 27 Jul 2008 15:46:56 +0200 (CEST) Message-ID: <488C7C58.7040807@mschuette.name> Date: Sun, 27 Jul 2008 15:47:04 +0200 From: =?ISO-8859-1?Q?Martin_Sch=FCtte?= User-Agent: Thunderbird 2.0.0.14 (X11/20080511) MIME-Version: 1.0 To: syslog@ietf.org References: <1696498986EFEC4D9153717DA325CB720134FF6C@vaebe104.NOE.Nokia.com> In-Reply-To: <1696498986EFEC4D9153717DA325CB720134FF6C@vaebe104.NOE.Nokia.com> Subject: Re: [Syslog] Syslog-sign: Minor clarifications, part 1 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Pasi.Eronen@nokia.com schrieb: > Sections 4 and 5: The document is a bit vague on how the DSA signature > is encoded in the Signature Block; it talks about "OpenPGP DSA" (which > might mean the "two MPIs" encoding in RFC 4880), but this is different > than the encoding used in most IETF protocols (DER encoding of > SEQUENCE of two INTEGERs). Which one is it? From an implementation perspective I would like to use DER encoding for keys (key blob type 'K') and signatures. I think that covers all key/signature types (even beyond DSA) and is supported by all common libraries. > Section 4.2.8 and 5.3.2.8: The text needs to be clearer about the > exact data which is signed. Does this mean a complete SYSLOG-MSG > (including MSG and other structured data after "ssign", if any), IMHO this is the desired behaviour. > except that STRUCTURED-DATA does not yet contain the SIGN parameter > (and the space separating it from the previous parameter)? Also, > excluding spaces here seems really strange -- after all, they're > included when calculating hashes -- and would seem to complicate > implementation (also, it's not totally obvious what spaces exactly > would be excluded). I have no idea what is meant with "excluding spaces between fields". -- Which fields are referred to? And why should that be useful? I would prefer just to omit the SIGN parameter (and the space). So for example this line is signed: <110>1 2008-07-27T14:54:11.020331+02:00 host.example.com syslogd - - [ssign VER="0121" RSID="1217163210" SG="3" SPRI="0" GBC="39" FMN="381" CNT="10" HB="hsal3vls9LYYmILWrRMmDCfXZyNiPZZftv1pCq99SFk= D9aHiwq402fGcQZbJvJokhYWcneWypmdQN5lzlEUe4k= u0PrH7zDcNaQxnTZw1qu5yuE7MmPpGsh2pPMhyWJlMA= 1jcrmsNxVFqn1hYAhdKhZKC2iRibECdqQXwSeR6rfnM= Rg9xSrmaRZgDbQIyTIN8F9kwMAZsOWk7JDy3vZBshlI= Cbf5sknv2zW/pT/OQ+yFh1Ge2Hnn9vaiAU8NeQlwTbA= Kl+hnkGOVcMp+iTQ2StbG3g1Sa4sUS6fcBR3z6+/eqY= MgOdm1ad/Gkm/emuyPNyKThYQVT9s6W8fk7yqJoid+Y= FUY1mt13kFPyoA7yyiR/kIX1dWXXRSahxUMn8rxfunI= az/IpvjG1egbXr2xj0hPfCxKGWpAwbdHMkTjcznOpxQ="] And after inserting the signature this will be sent: <110>1 2008-07-27T14:54:11.020331+02:00 host.example.com syslogd - - [ssign VER="0121" RSID="1217163210" SG="3" SPRI="0" GBC="39" FMN="381" CNT="10" HB="hsal3vls9LYYmILWrRMmDCfXZyNiPZZftv1pCq99SFk= D9aHiwq402fGcQZbJvJokhYWcneWypmdQN5lzlEUe4k= u0PrH7zDcNaQxnTZw1qu5yuE7MmPpGsh2pPMhyWJlMA= 1jcrmsNxVFqn1hYAhdKhZKC2iRibECdqQXwSeR6rfnM= Rg9xSrmaRZgDbQIyTIN8F9kwMAZsOWk7JDy3vZBshlI= Cbf5sknv2zW/pT/OQ+yFh1Ge2Hnn9vaiAU8NeQlwTbA= Kl+hnkGOVcMp+iTQ2StbG3g1Sa4sUS6fcBR3z6+/eqY= MgOdm1ad/Gkm/emuyPNyKThYQVT9s6W8fk7yqJoid+Y= FUY1mt13kFPyoA7yyiR/kIX1dWXXRSahxUMn8rxfunI= az/IpvjG1egbXr2xj0hPfCxKGWpAwbdHMkTjcznOpxQ=" SIGN="39tqZ4p5aWaUs4IOhTRfVT2f95E="] > Section 4.2 and 5.3.2: Are the SD-PARAMs always in this order, > or can they be in any order? I had the impression that the order of SD-PARAMs (and SD-ELEMENTs) should always be considered arbitrary and irrelevant for interpretation, but now that I am looking for it I do not find that in syslog-protocol :-/ > Is it possible that some extension > will later add new SD-PARAMs to these SD-IDs -- if so, how old > implementations should handle them? I think it should be possible to extend the SDs and the exact set of SD-PARAMs should depend on the VERsion. BTW, should it be explicitly required that every SD-PARAM occurs once? It seems obvious, but syslog-protocol allows repeated parameters... -- Martin _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Mon Jul 28 01:43:45 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 207A73A68BA; Mon, 28 Jul 2008 01:43:45 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B26D73A6885 for ; Mon, 28 Jul 2008 01:43:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQurOQuEq3A5 for ; Mon, 28 Jul 2008 01:43:42 -0700 (PDT) Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by core3.amsl.com (Postfix) with ESMTP id 8AD7E3A68BA for ; Mon, 28 Jul 2008 01:43:42 -0700 (PDT) Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTP id B4D9A119757D; Mon, 28 Jul 2008 01:43:51 -0700 (PDT) Received: from titania.merrymeet.com ([66.93.68.165]) by keys.merrymeet.com (PGP Universal service); Mon, 28 Jul 2008 01:43:49 -0700 X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 28 Jul 2008 01:43:49 -0700 Message-Id: <34A02E87-89BC-4716-BA45-89B2AFD23DB5@callas.org> From: Jon Callas To: =?ISO-8859-1?Q?Martin_Sch=FCtte?= In-Reply-To: <488C5270.3010403@mschuette.name> Mime-Version: 1.0 (Apple Message framework v928.1) Date: Mon, 28 Jul 2008 01:43:49 -0700 References: <1696498986EFEC4D9153717DA325CB720134FF58@vaebe104.NOE.Nokia.com> <488C5270.3010403@mschuette.name> X-Mailer: Apple Mail (2.928.1) Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: RSA support? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"; DelSp="yes" Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org On Jul 27, 2008, at 3:48 AM, Martin Sch=FCtte wrote: > Pasi.Eronen@nokia.com schrieb: >> The specification supports only DSA, which means it can't be used = >> with >> certificates most folks already have (or can most easily obtain from >> any CA). Was this an intentional design decision? If so, I'd like to >> hear some background for it... > > The DSS (FIPS 186-2, http://csrc.nist.gov/publications/fips/fips186-2/fip= s186-2-change1.pdf) > consists of three signature algorithms and covers DSA, RSA and ECDSA. > > I would suggest to use these three for syslog-sign. Well, the reason it's DSA is that the size of a DSA signature is = proportional to the size of the hash function rather than the key. At = the time John Kelsey did the first protocol, we were talking about DSA = with SHA-1. Now, of course, there are more options. Nonetheless, if you're going to do syslog-sign over udp, there's a = real need to keep the signatures small. That is why it is DSA. It's also why the encoding is the OpenPGP = encoding, and not DER. It's all to keep things as tight as possible. Obviously, if you're going to do it over TCP, or even TLS, the = tightness is not needed as much. However, it's still nice to have a = protocol that is parsimonious on data. I think ECDSA makes much more = sense than RSA for it. Jon _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog From syslog-bounces@ietf.org Mon Jul 28 02:32:02 2008 Return-Path: X-Original-To: syslog-archive@megatron.ietf.org Delivered-To: ietfarch-syslog-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E5F53A6956; Mon, 28 Jul 2008 02:32:02 -0700 (PDT) X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A78033A68FA for ; Mon, 28 Jul 2008 02:32:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M91AE27qtTlp for ; Mon, 28 Jul 2008 02:32:00 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 5487B3A690D for ; Mon, 28 Jul 2008 02:31:59 -0700 (PDT) Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m6S9VXJq015599; Mon, 28 Jul 2008 12:32:01 +0300 Received: from vaebh103.NOE.Nokia.com ([10.160.244.24]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 28 Jul 2008 12:31:56 +0300 Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by vaebh103.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 28 Jul 2008 12:31:55 +0300 x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Mon, 28 Jul 2008 12:31:55 +0300 Message-ID: <1696498986EFEC4D9153717DA325CB7201350CDE@vaebe104.NOE.Nokia.com> In-Reply-To: <34A02E87-89BC-4716-BA45-89B2AFD23DB5@callas.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Syslog] Syslog-sign: RSA support? Thread-Index: AcjwjhRE9B3Q9AKnQ+eP6m0208g92AABZNFg References: <1696498986EFEC4D9153717DA325CB720134FF58@vaebe104.NOE.Nokia.com><488C5270.3010403@mschuette.name> <34A02E87-89BC-4716-BA45-89B2AFD23DB5@callas.org> From: To: , X-OriginalArrivalTime: 28 Jul 2008 09:31:55.0190 (UTC) FILETIME=[C63EF560:01C8F094] X-Nokia-AV: Clean Cc: syslog@ietf.org Subject: Re: [Syslog] Syslog-sign: RSA support? X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: syslog-bounces@ietf.org Errors-To: syslog-bounces@ietf.org Jon Callas wrote: > Well, the reason it's DSA is that the size of a DSA signature is > proportional to the size of the hash function rather than the > key. At the time John Kelsey did the first protocol, we were talking > about DSA with SHA-1. Now, of course, there are more options. > > Nonetheless, if you're going to do syslog-sign over udp, there's a > real need to keep the signatures small. Based on quick back-of-the-envelope calculations, it seems the difference between RSA and DSA isn't that big. With DSA and SHA-1, you could put ~65 hashes in a Signature Block (while keeping it under 2048 bytes); with RSA (1024-bit key) and SHA-1, you could put ~60. Or in other words: the hash block is much larger than the signature. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog