Hi, Here is a review of the syslog-sign document.
This is validation of the XML source file. This file will be submitted to the rfc-editor when the internet-draft will be publsihed as an RFC. It helps if the source is "clean", so please fix the reported problems in the source file. --- Validation results for D:\My Documents\IETF\syslog\escrow\draft-ietf-syslog-sign-18.xml Processing... Validating document... 238: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t list t ) 237: 238: <section anchor="Version" title="Version"> 239: <t> 291: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t t t list t ) 290: 291: <section anchor="siggrp" title="Signature Group and Signature Priority"> 292: <t> 459: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t t list ) 458: 459: <section anchor="prelims" title="Preliminaries: Key Management and Distribution Issues"> 460: <t> 510: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t list ) 509: 510: <section anchor="build" title="Building the Payload Block"> 511: <t> 523: element list: validity error : Element list content does not follow the DTD, expecting (t)+, got (t t t list t ) 522: 523: <list style="letters"> 524: <t> 759: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t list t ) 758: 759: <section anchor="flex" title="Flexibility"> 760: <t> 794: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t list t t ) 793: 794: <section anchor="offline" title="Offline Review of Logs"> 795: <t> 806: element list: validity error : Element list content does not follow the DTD, expecting (t)+, got (t t t list t ) 805: 806: <list style="letters"> 807: <t> 834: element list: validity error : Element list content does not follow the DTD, expecting (t)+, got (t t list t ) 833: 834: <list style="numbers"> 835: <t> 891: element section: validity error : Element section content does not follow the DTD, expecting (t | figure | texttable | iref | section)*, got (t list t ) 890: 891: <section anchor="online" title="Online Review of Logs"> 892: <t> 1640: element front: validity error : Element front content does not follow the DTD, expecting (title , author+ , date , area* , workgroup* , keyword* , abstract? , note*), got (title author author date seriesInfo ) 1639: <reference anchor='RFC3414'> 1640: <front> 1641: <title abbrev='USM for SNMPv3'>User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)</title> 1654: element front: validity error : Element front content does not follow the DTD, expecting (title , author+ , date , area* , workgroup* , keyword* , abstract? , note*), got (title author date seriesInfo ) 1653: <reference anchor='RFC3629'> 1654: <front> 1655: <title abbrev='UTF-8'>UTF-8, a transformation format of ISO 10646</title> 1665: element front: validity error : Element front content does not follow the DTD, expecting (title , author+ , date , area* , workgroup* , keyword* , abstract? , note*), got (title author author date seriesInfo ) 1664: <reference anchor='RFC4291'> 1665: <front> 1666: <title abbrev='IPv6 Addressing'>IP Version 6 Addressing Architecture</title> 1679: element front: validity error : Element front content does not follow the DTD, expecting (title , author+ , date , area* , workgroup* , keyword* , abstract? , note*), got (title author author date seriesInfo ) 1678: <reference anchor='RFC4234'> 1679: <front> 1680: <title abbrev='ABNF for Syntax Specifications'>Augmented BNF for Syntax Specifications: ABNF</title> ...validation failed Performing additional checks... 49: fyi: anchor intro not referenced 48: <middle> 49: <section anchor="intro" title="Introduction"> 50: <t> 116: fyi: anchor conventions not referenced 115: 116: <section anchor="conventions" title="Conventions Used in this Document"> 117: <t> 124: fyi: anchor format not referenced 123: 124: <section anchor="format" title="syslog Message Format"> 125: <t> 165: fyi: anchor sigBlock not referenced 164: 165: <section anchor="sigBlock" title="Signature Block Format and Fields"> 166: <t> 171: fyi: anchor sigBlkPkts not referenced 170: 171: <section anchor="sigBlkPkts" title="syslog Packets Containing a Signature Block"> 172: <t> 378: fyi: anchor globBlk not referenced 377: 378: <section anchor="globBlk" title="Global Block Counter"> 379: <t> 402: fyi: anchor firstmsg not referenced 401: 402: <section anchor="firstmsg" title="First Message Number"> 403: <t> 416: fyi: anchor count not referenced 415: 416: <section anchor="count" title="Count"> 417: <t> 427: fyi: anchor hash not referenced 426: 427: <section anchor="hash" title="Hash Block"> 428: <t> 452: fyi: anchor payncert not referenced 451: 452: <section anchor="payncert" title="Payload and Certificate Blocks"> 453: <t> 459: fyi: anchor prelims not referenced 458: 459: <section anchor="prelims" title="Preliminaries: Key Management and Distribution Issues"> 460: <t> 569: fyi: anchor buildcert not referenced 568: 569: <section anchor="buildcert" title="Building the Certificate Block"> 570: <t> 628: fyi: anchor VersionCER not referenced 627: 628: <section anchor="VersionCER" title="Version"> 629: <t> 640: fyi: anchor rebootidCER not referenced 639: 640: <section anchor="rebootidCER" title="Reboot Session ID"> 641: <t> 647: fyi: anchor siggrpCER not referenced 646: 647: <section anchor="siggrpCER" title="Signature Group and Signature Priority"> 648: <t> 655: fyi: anchor tpbl not referenced 654: 655: <section anchor="tpbl" title="Total Payload Block Length"> 656: <t> 662: fyi: anchor index not referenced 661: 662: <section anchor="index" title="Index into Payload Block"> 663: <t> 670: fyi: anchor fraglen not referenced 669: 670: <section anchor="fraglen" title="Fragment Length"> 671: <t> 677: fyi: anchor sigCER not referenced 676: 677: <section anchor="sigCER" title="Signature"> 678: <t> 693: fyi: anchor redunnflex not referenced 692: 693: <section anchor="redunnflex" title="Redundancy and Flexibility"> 694: <t> 703: fyi: anchor redun not referenced 702: 703: <section anchor="redun" title="Redundancy"> 704: <t> 725: fyi: anchor redunCertblk not referenced 724: 725: <section anchor="redunCertblk" title="Certificate Blocks"> 726: <t> 742: fyi: anchor redunSigblk not referenced 741: 742: <section anchor="redunSigblk" title="Signature Blocks"> 743: <t> 759: fyi: anchor flex not referenced 758: 759: <section anchor="flex" title="Flexibility"> 760: <t> 787: fyi: anchor verify not referenced 786: 787: <section anchor="verify" title="Efficient Verification of Logs"> 788: <t> 794: fyi: anchor offline not referenced 793: 794: <section anchor="offline" title="Offline Review of Logs"> 795: <t> 891: fyi: anchor online not referenced 890: 891: <section anchor="online" title="Online Review of Logs"> 892: <t> 973: fyi: anchor security not referenced 972: 973: <section anchor="security" title="Security Considerations"> 974: <t> 983: fyi: anchor SecCrypto not referenced 982: 983: <section anchor="SecCrypto" title="Cryptography Constraints"> 984: <t> 1005: fyi: anchor SecPacket not referenced 1004: 1005: <section anchor="SecPacket" title="Packet Parameters"> 1006: <t> 1031: fyi: anchor SecAuth not referenced 1030: 1031: <section anchor="SecAuth" title="Message Authenticity"> 1032: <t> 1048: fyi: anchor SeqDel not referenced 1047: 1048: <section anchor="SeqDel" title="Sequenced Delivery"> 1049: <t> 1059: fyi: anchor SecReplay not referenced 1058: 1059: <section anchor="SecReplay" title="Replaying"> 1060: <t> 1069: fyi: anchor SecRelDel not referenced 1068: 1069: <section anchor="SecRelDel" title="Reliable Delivery"> 1070: <t> 1083: fyi: anchor SecSeq not referenced 1082: 1083: <section anchor="SecSeq" title="Sequenced Delivery"> 1084: <t> 1094: fyi: anchor SecInt not referenced 1093: 1094: <section anchor="SecInt" title="Message Integrity"> 1095: <t> 1105: fyi: anchor SecObs not referenced 1104: 1105: <section anchor="SecObs" title="Message Observation"> 1106: <t> 1114: fyi: anchor SecMITM not referenced 1113: 1114: <section anchor="SecMITM" title="Man In The Middle"> 1115: <t> 1126: fyi: anchor SecDen not referenced 1125: 1126: <section anchor="SecDen" title="Denial of Service"> 1127: <t> 1142: fyi: anchor SecCov not referenced 1141: 1142: <section anchor="SecCov" title="Covert Channels"> 1143: <t> 1156: fyi: anchor iana not referenced 1155: 1156: <section anchor="iana" title="IANA Considerations"> 1157: <t> 1181: fyi: anchor ianaVer not referenced 1180: 1181: <section anchor="ianaVer" title="Version Field"> 1182: <t> 1261: fyi: anchor ianaSIG not referenced 1260: 1261: <section anchor="ianaSIG" title="SIG Field"> 1262: <t> 1270: fyi: anchor ianabuild not referenced 1269: 1270: <section anchor="ianabuild" title="Key Blob Type"> 1271: <t> 1280: fyi: anchor authors not referenced 1279: 1280: <section anchor="authors" title="Authors and Working Group Chair"> 1281: <t> 1288: error: <figure> inside <t> is deprecated by rfc2629bis 1287: The working group can be contacted via the mailing list: 1288: <figure><artwork> 1289: syslog-sec@employees.org 1295: error: <figure> inside <t> is deprecated by rfc2629bis 1294: The current Chairs of the Working Group may be contacted at: 1295: <figure><artwork> 1296: Chris Lonvick 1310: error: <figure> inside <t> is deprecated by rfc2629bis 1309: The authors of this draft are: 1310: <figure><artwork> 1311: John Kelsey 1323: fyi: anchor acks not referenced 1322: 1323: <section anchor="acks" title="Acknowledgements"> 1324: <t> 1359: warning: anchor ANSI.X3-4.1968 not referenced 1358: 1359: <reference anchor="ANSI.X3-4.1968"> 1360: <front> 1391: warning: anchor RFC1034 not referenced 1390: 1391: <reference anchor='RFC1034'> 1392: <front> 1405: warning: anchor RFC1035 not referenced 1404: 1405: <reference anchor='RFC1035'> 1406: <front> 1429: warning: anchor RFC2085 not referenced 1428: 1429: <reference anchor='RFC2085'> 1430: 1653: warning: anchor RFC3629 not referenced 1652: 1653: <reference anchor='RFC3629'> 1654: <front> 1664: warning: anchor RFC4291 not referenced 1663: 1664: <reference anchor='RFC4291'> 1665: <front> 1678: warning: anchor RFC4234 not referenced 1677: 1678: <reference anchor='RFC4234'> 1679: <front> 1695: warning: anchor MENEZES not referenced 1694: <references title="Informative References"> 1695: <reference anchor="MENEZES"> 1696: <front> 1786: warning: anchor RFC1983 not referenced 1785: 1786: <reference anchor='RFC1983'> 1787: 1817: warning: anchor RFC2104 not referenced 1816: 1817: <reference anchor='RFC2104'> 1818: 2007: warning: anchor RFC3339 not referenced 2006: 2007: <reference anchor='RFC3339'> 2008: <front> 2050: warning: anchor SCHNEIER not referenced 2049: 2050: <reference anchor="SCHNEIER"> 2051: <front> ...done --- Idnits from http://tools.ietf.org/tools/idnits/idnits.pyht idnits 1.108 tmp/draft-ietf-syslog-sign-18-official.txt: tmp/draft-ietf-syslog-sign-18-official.txt(343): RFC 2119 keyword: format. It is RECOMMENDED to be used within the syslog protocol as. tmp/draft-ietf-syslog-sign-18-official.txt(344): RFC 2119 keyword: defined in RFC xxxx [24]. It MAY be transported over a traditional. tmp/draft-ietf-syslog-sign-18-official.txt(346): RFC 2119 keyword: 3164 [20], or it MAY be used over the Reliable Delivery of syslog. tmp/draft-ietf-syslog-sign-18-official.txt(350): RFC 2119 keyword: entirety, it is imperative that the messages MUST NOT be changed in. tmp/draft-ietf-syslog-sign-18-official.txt(353): RFC 2119 keyword: 3164 MAY make changes to a syslog packet if specific fields are not. tmp/draft-ietf-syslog-sign-18-official.txt(403): RFC 2119 keyword: Signature Block messages MUST be encompassed within completely formed. tmp/draft-ietf-syslog-sign-18-official.txt(404): RFC 2119 keyword: syslog messages. It SHOULD also contain valid APP-NAME, PROCID, and. tmp/draft-ietf-syslog-sign-18-official.txt(407): RFC 2119 keyword: the latter case, it is RECOMMENDED that the TAG field have the value. tmp/draft-ietf-syslog-sign-18-official.txt(410): RFC 2119 keyword: Signature Block messages MUST be encoded as an SD ELEMENT, as defined. tmp/draft-ietf-syslog-sign-18-official.txt(438): Line is too long: the offending characters are 'h' tmp/draft-ietf-syslog-sign-18-official.txt(439): Line is too long: the offending characters are 'y)' tmp/draft-ietf-syslog-sign-18-official.txt(442): Line is too long: the offending characters are 'y)' tmp/draft-ietf-syslog-sign-18-official.txt(491): RFC 2119 keyword: always be set to a value of 0. Otherwise, it MUST increase whenever. tmp/draft-ietf-syslog-sign-18-official.txt(494): RFC 2119 keyword: to 0. Implementors MAY wish to consider using the snmpEngineBoots. tmp/draft-ietf-syslog-sign-18-official.txt(627): RFC 2119 keyword: Signature Block MUST be chosen such that the length of the resulting. tmp/draft-ietf-syslog-sign-18-official.txt(637): RFC 2119 keyword: each hash, but the size MUST NOT be shorter than 160 bits. It is. tmp/draft-ietf-syslog-sign-18-official.txt(738): RFC 2119 keyword: Block MUST have the following fields. Each of these fields are. tmp/draft-ietf-syslog-sign-18-official.txt(771): RFC 2119 keyword: that the device MAY make the Certificate Blocks of any legal length. tmp/draft-ietf-syslog-sign-18-official.txt(915): RFC 2119 keyword: provides redundancy; since the collector MUST ignore Signature/. tmp/draft-ietf-syslog-sign-18-official.txt(1210): RFC 2119 keyword: bytes. As seen in RFC 3164, relays MAY truncate messages with. tmp/draft-ietf-syslog-sign-18-official.txt(1416): RFC 2119 keyword: SHOULD have the same values in the fields described in this section.. Checking nits according to http://www.ietf.org/ID-Checklist.html: * The document seems to lack separate sections for Informative/Normative References. Checking conformance with RFC 3978/3979 boilerplate... the boilerplate looks good. Checking nits according to http://www.ietf.org/ietf/1id-guidelines.txt: - Mismatching filename: the document gives the document name as 'draft-ietf-syslog-sign-18', but the file name used is 'draft-ietf-syslog-sign-18-official' Miscellaneous warnings: - The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? RFC 2119 paragraph 2 text: "The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119." ... text found in draft: "The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", ............^ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" that appear in this document are to be interpreted as described in RFC 2119 [13].") (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). Experimental warnings: - Unused Reference: '3' is defined on line 1111, but not referenced '[3] American National Standards Institute, "USA Code for Informat...' - Unused Reference: '4' is defined on line 1114, but not referenced '[4] Menezes, A., van Oorschot, P., and S. Vanstone, ""Handbook of...' - Unused Reference: '6' is defined on line 1120, but not referenced '[6] Mockapetris, P., "Domain names - concepts and facilities", ST...' - Unused Reference: '7' is defined on line 1123, but not referenced '[7] Mockapetris, P., "Domain names - implementation and specifica...' - Unused Reference: '9' is defined on line 1129, but not referenced '[9] Malkin, G., "Internet Users' Glossary", RFC 1983, August 1996...' - Unused Reference: '10' is defined on line 1131, but not referenced '[10] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Exte...' - Unused Reference: '11' is defined on line 1135, but not referenced '[11] Oehler, M. and R. Glenn, "HMAC-MD5 IP Authentication with Rep...' - Unused Reference: '12' is defined on line 1138, but not referenced '[12] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashi...' - Unused Reference: '14' is defined on line 1144, but not referenced '[14] Yergeau, F., "UTF-8, a transformation format of ISO 10646", R...' - Unused Reference: '15' is defined on line 1147, but not referenced '[15] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifi...' - Unused Reference: '16' is defined on line 1150, but not referenced '[16] Hinden, R. and S. Deering, "IP Version 6 Addressing Architect...' - Unused Reference: '22' is defined on line 1169, but not referenced '[22] Klyne, G. and C. Newman, "Date and Time on the Internet: Time...' - Unused Reference: '25' is defined on line 1179, but not referenced '[25] Schneier, B., "Applied Cryptography Second Edition: protocols...' ---- spelling "Predistributed" is not an English word. This could be difficult for those who rely on translators. "distributed" should be adequate for the usage. Otherwise, please use "pre-distributed" "SD ELEMENTS(SDEs)" add a space after ELEMENTS For consistency among all our documents, please use implementers rather than implementors. Correspondsss /permissable/permissible/ Can you spell out the meaning of O(N lg N) at its first usage? "collusionist" does not appear to be an English word. Would "attacker" do? In section 9.3 "Section Section" Abstract: /"The syslog Protocol", however it may be used atop any message delivery mechanism, even that/"The syslog Protocol" However it may be used atop any message delivery mechanism, including that/ and change the following "or" to "and" Introduction: /the type of key material which may be/the type of key material, which may be/ -- added a comma /In the cases of certificates being sent, the certificates may have/Ceetificates may have/ /actual transport protocol/transport protocol/ /defined in the informational RFC 3164/described in the informational RFC 3164/ There are lots of "it" references in the document, and in many cases it would be better if it was spelled out to be unambiguous. "The MSG part of the syslog message as defined in RFC xxxx [23] will simply be empty - it is not intended for interpretation by humans" What isn't intended for human consumption, the MSG? this specification? The signature block? Syslog-sign messages? /Having said that, as stated above,// /independent of the SD-ID definitions and/independent of the SD-ID definitions, and/ /The SD-ID must have the value of "ssign"./The SD-ID MUST have the value of "ssign"./ --- general review snmpEngineBoots has a range of 1..2147483647 and records the reboot of the SNMP engine. The Reboot Session ID has a range of 1..9999999999 and records the reboot of the device. "is rendered useless." - does this mean an attacker culd deliberately create a denial fo service so that they could then attack the system with less chance of detection? I found section 3 a bit hard to follow, since it discusses how this uses SD-IDs, but is indpendent of SD-IDs, and so on. I think the backwarsd compatbility discussion should happen after you describe what the current proposal is. Let's put the discussions about how to use this with RFC3164 into an appendix, and focus on defining the current proposal before spending lots of verbiage making sure everybody is happy that it is all backwards caompatible with rfc3164 and rfc3195. "The value of each field must be printable ASCII" - can you specify the range of characters included in "printable ASCII"? --- I will be sending another review as I read through the document for content and grammar. David Harrington [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog