> TLS does support mutual node authentication. The healthcare > world has been using mutual-node-authenticated-TLS for over > three years. We use it often to ensure that a X-Ray device is > actually talking to the Picture Archiving Service. Both > systems need to know that they are talking to the right > 'other' system. This transaction doesn't need to have user > authentication as the process is fully automated. Indeed we > don't always turn on TLS encryption. But we do always do > mutual-authentication. Yes this means that there is a X.509 > certificate managed for both nodes. But this certificate > management is not nearly as complex as person-certificates > (another discussion we can have on miss-understandings due to > the wrong questions being asked). > > Tom- this one puzzles me. SSH has got server and client > authorisation defined in the I-Ds, soon to be RFCs. Reading > the TLS I-Ds I see no sign of client authorisation and since > that is a must for SNMP, then the note I quoted earlier, to > the isms list, saying that SASL would needed alongside TLS > made perfect sense (as I would expect since it came from the > Security AD:-). So where does mutual authentication come > from? What RFC or I-D defines it? Is it a proprietary > extension? Is it two simplex transmissions with only server > authentication? > Sometimes it does matter to know what goes on under the > covers. (Of course, if client authentication is not needed > then this is academic).
Client auth is a fundamental feature of TLS. It is all over the TLS RFC: http://www.faqs.org/rfcs/rfc2246.html Search it for "client authentication" or "client certificate". There are whole sections on it. It is part of the initial SSL/TLS setup. Server may require client-auth if configured so. If you don't believe that it is deployed, open you browser security settings. John mentioned that not all browsers supports client certs for SSL/TLS. Well... At least IE, Netscape, Firefox support it and had for some time. In fact, they have pretty advanced features around client certs. For example, you can use a different client cert with different sites. The real question IMO, again, is whether or not symmetric auth (password / shared secret based) is considered important. SSH has it. TLS does not. If client certs are acceptable to people, then TLS is a perfect solution. I think certificate-based infrastructure is more secure and easier to manage in the end. No interactive user auth is needed for syslog, as John mentioned. And if you store passwords instead of having user type them in, then you are really only one-step away from using certs. Thanks, Anton. > > <snip> > John > > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
