> Syslog-sign does NOT rely on syslog-auth.
OK, but that still begs the question of how messages
get associated with session id's, etc. On the other
other hand, you did say this was a short description,
so I'll give you the benefit of the doubt and assume
you just didn't specify that bit.
> But why not just assign a different signature
> group for each of these files, so that the
> signature blocks for a given sequence of
> messages always go into the file with
> those messages?
Could do that. But it means the all machines have to
be updated to change where things are going instead of
just updating the central log server.
> Alternatively, it would be totally legitimate
> to split out those messages at the collector into
> their individual files, along with:
>
> a. Copying the signature blocks to all files.
> b. Making some distinction in the stored files
> between messages that were sent to different files,
> and messages that were never received.
That's pretty much what I had in mind, thought I
figured the "real" sysadm could always concatonate the
files to figure out what messages are truely missing.
> For this reason, I cringe a bit at the thought
> of saying ``put your public keys into whatever
> format you find convenient, and let the
> recipient sort all that stuff out.''
Yeah, that's a good point.
> Is there a single really good format for encoding
> all public keys, which has widely available
> software support?
Well, that is the problem that X.509 is supposed to
solve. But it's kind of bloated and there are
surprisingly few tools out there to manipulate it.
> I especially want to make sure that using DSA is
> as easy as possible in this environment, since
> DSA's short signatures are so nice here.
Hmm, good point. SSH2/OpenSSH uses DSA, so there's a
good place to start from.
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
