There is a miss understanding of the information I have seen given by many people on this list regarding TLS. I think this miss understanding is also being applied to SSH.
Most people get the facts right on server-side-authentication. SSL for years supported Server side authentication. This allows a common-user to know that they are indeed connecting to the right service. Thus they know that this is indeed their bank that they are providing their credentials to. There is a wealth of standards and tools that accomplish this. The facts get much more confused when people start to add requirements to authenticate the client side. The first confusion comes when people don't really ask 'who do they want to authenticate?' Most common authentication schemes want to authenticate the user. The advantage to these services is that they then can apply preferences, user behavior tracking, access controls based on user/role, etc. The problem with this mode of client authentication is that the service knows nothing about the machine that the user is using at this time. For most portals this is a benefit as it allows the user to use any kiosk, thus user frustration is low. The problem is that that kiosk could be highly compromised... Enough said. Thus there is a need to authenticate the client-machine. Given the above concern, this is becoming more and more common. So, SYSLOG needs to ask do they want to authenticate the user, machine, or both? TLS does support mutual node authentication. The healthcare world has been using mutual-node-authenticated-TLS for over three years. We use it often to ensure that a X-Ray device is actually talking to the Picture Archiving Service. Both systems need to know that they are talking to the right 'other' system. This transaction doesn't need to have user authentication as the process is fully automated. Indeed we don't always turn on TLS encryption. But we do always do mutual-authentication. Yes this means that there is a X.509 certificate managed for both nodes. But this certificate management is not nearly as complex as person-certificates (another discussion we can have on miss-understandings due to the wrong questions being asked). The problem is that many people quickly associate TLS/SSL with it's earlier SSL, which leads to HTTPS, which leads them to look at browsers. The end result is that you find at most one browser that supports mutual-authenticated-TLS. Note that the browsers will claim to authenticate the 'client', but this is HTTP-authentication. This HTTP-authentication is a different layer than the TLS authentication. I don't think that the SYSLOG community is likely to be using browsers. They will likely be using tools like JAVA, and the good news is these tools do support mutual-node-authentication (See: JAVA SSLSocket). John _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
