From root@core3.amsl.com Wed May 27 11:15:01 2009 Return-Path: X-Original-To: syslog@ietf.org Delivered-To: syslog@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id BBBFA3A7127; Wed, 27 May 2009 11:15:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090527181501.BBBFA3A7127@core3.amsl.com> Date: Wed, 27 May 2009 11:15:01 -0700 (PDT) Cc: syslog@ietf.org Subject: [Syslog] I-D Action:draft-ietf-syslog-sign-26.txt X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 18:15:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Signed syslog Messages Author(s) : J. Kelsey, et al. Filename : draft-ietf-syslog-sign-26.txt Pages : 45 Date : 2009-05-27 This document describes a mechanism to add origin authentication, message integrity, replay resistance, message sequencing, and detection of missing messages to the transmitted syslog messages. This specification is intended to be used in conjunction with the work defined in [RFC5424], "The syslog Protocol". A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-26.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-syslog-sign-26.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-05-27111234.I-D@ietf.org> --NextPart-- From alex@cisco.com Wed May 27 11:19:02 2009 Return-Path: X-Original-To: syslog@core3.amsl.com Delivered-To: syslog@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 823623A6B27 for ; Wed, 27 May 2009 11:19:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.562 X-Spam-Level: X-Spam-Status: No, score=-6.562 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zK3iwTT9bUIM for ; Wed, 27 May 2009 11:19:01 -0700 (PDT) Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 2F1A13A6AEE for ; Wed, 27 May 2009 11:18:50 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.41,260,1241395200"; d="scan'208";a="169611055" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-2.cisco.com with ESMTP; 27 May 2009 18:20:15 +0000 Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n4RIKH3R003203; Wed, 27 May 2009 11:20:17 -0700 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n4RIKHCo003567; Wed, 27 May 2009 18:20:17 GMT Received: from xmb-sjc-236.amer.cisco.com ([128.107.191.121]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 27 May 2009 11:20:17 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 27 May 2009 11:20:14 -0700 Message-ID: <85B2F271FDF6B949B3672BA5A7BB62FB07C98B0C@xmb-sjc-236.amer.cisco.com> In-Reply-To: <808FD6E27AD4884E94820BC333B2DB7727F22149EE@NOK-EUMSG-01.mgdnok.nokia.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Syslog-sign -26 Thread-Index: Acm2p7iG06BHWwBZTUmHor6uUdYqsAoT5d+w References: <808FD6E27AD4884E94820BC333B2DB7727F22149EE@NOK-EUMSG-01.mgdnok.nokia.com> From: "Alexander Clemm (alex)" To: , X-OriginalArrivalTime: 27 May 2009 18:20:17.0010 (UTC) FILETIME=[C92B0D20:01C9DEF7] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2288; t=1243448417; x=1244312417; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=alex@cisco.com; z=From:=20=22Alexander=20Clemm=20(alex)=22=20 |Subject:=20Syslog-sign=20-26=20 |Sender:=20; bh=+wWpYXyurqT0kDRSxenCJjQrlP7A/NUESQItOle96f0=; b=DfMuKofqzZkrar6TmbN7vO1YZaybZVYZ49xJ3rdTmUXzm7cIYu5w6YUAR7 /HLGGdsHZyEhgS6Ufz2ikFVyMjSYSjOD2t3aIxOLu7Mpr5HXLPFTZTZ7i8E3 LI7iIORDTa; Authentication-Results: sj-dkim-2; header.From=alex@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; ); Subject: [Syslog] Syslog-sign -26 X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 18:19:02 -0000 Hi, I just submitted version -26, addressing the items below. E.g.: New examples have been included. TBPL was changed to TPBL. Clarification on the "leading zeroes omitted", where parameters contain decimal values. Clarification on the unix system time. =20 The most important issue concerned the issue of having multiple signers. After some contemplating, I decided that this can be resolved quite simply by clarifying that the combination of APP-NAME and PROCID refers to a unique signer (no, I didn't introduce it as a new term, it's still originator), and needs to be consistent between Certificate Block and Signature Block messages. If multiple originators are used, they each in effect have their own "scope" - they each have their own Payload Block and Signature Blocks etc. =20 The algorithm in section 7 can stay the same, but I added some clarification also there about how to identify/distinguish between different originators, and the fact that consistency between Certificate Block and Signature Block messages with regards to the originator needs to be checked. =20 Regards --- Alex -----Original Message----- From: syslog-bounces@ietf.org [mailto:syslog-bounces@ietf.org] On Behalf Of Pasi.Eronen@nokia.com Sent: Monday, April 06, 2009 4:06 AM To: syslog@ietf.org Subject: [Syslog] Syslog-sign -25 Hi Alexander, Jon and others, Version -25 looks pretty good, and addresses all my comments except one: the email "Signature groups, originators, etc." (on February 5). Could you take the first attempt in proposing text that clarifies the definition of Signature Group, and makes the algorithm in Section 7.1 actually work in all the cases? Couple of minor nits: - As Martin pointed out, the examples (4.2.9 and 5.3.2.9) still=20 use DER encoding, not MPIs - The SD-PARAM-NAME for Total Payload Block Length should be=20 "TPBL", right? (not TBPL) - Section 5.3.2.8, typo "Section Section" - As pointed out by Richard (on December 22), Sections 5.3.2.4 and 5.3.2.6 should have "with leading zeroes omitted" (like all other integer-valued fields) Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog