-----BEGIN PGP SIGNED MESSAGE-----

>Date: Mon, 12 Feb 2001 10:58:23 -0600
>To: John Kelsey <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>From: "Chris M. Lonvick" <[EMAIL PROTECTED]>
>Subject: Re: syslog-sign (almost) real-time verification, comments
>  requested.

>Hi John,

>This looks good.  It has a low complexity factor and doesn't
>change the existing messages.

Thanks.  I wanted to convince myself that it could be done
reasonably efficiently, before I claimed that in the
document.  Do you think it makes sense for me to include
some description of my proposed algorithm in the document?
Or should I just stick to saying that it can be done?

>There has been a lot of discussion on the list -and I've
>received several comments separately- of the time format in
>the existing messages.  Since the syslog-syslog ID is only
>documenting the current message format we can't change that.
>Also, the intent of the overall system has been that the
>messages would be reviewed fairly soon after they were
>generated and would not really need a year marker.  It was
>also considered that the messages would have local
>significance and that the administrators would know the
>timezone of the device generating the message.  Does it make
>sense to include an optional timestamp in the body of the
>message that gives more robust details of the time?

I really like the idea of putting as much information into
the log messages as possible.  In particular, putting a
complete timestamp in might make them more useful as
evidence in criminal trials later.  (Though I suspect this
won't usually be the case, since most people don't keep old
log backups in the right way to ensure proper chain of
custody for evidence.)

>Speaking of time, as you're writing you may want to consider
>what should happen if the device doesn't generate messages
>very often. As you mention in "d", it will need to be
>tunable to provide good redundancy coverage.  However, what
>could happen if the device is configured to generate a block
>after 5 messages, but the device only generates 4 messages
>within an hour and then just sits there for the next week
>without any further activity?  I wouldn't want the block to
>be lost if the device is rebooted during that later time.
>Perhaps it would be good to put a note in the draft that
>says that the block may be sent even if it is not full to
>the configured capacity.

Yes, actually I made a change like this to my document about
a week ago.  Thinking about the near-real-time processing of
messages led pretty directly to this thought about how the
server would handle short signature blocks.

>Thanks,
>Chris

- --John Kelsey, [EMAIL PROTECTED]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo

iQCVAwUBOomSpiZv+/Ry/LrBAQEVGAP/d9n57Q4kAbW/FADg7v/16mh2env8Wlts
mH/xP9zmeBljxUQMP9EHA3u+84Sjo9nzm895EGbk+Qx7C3u2jebr1hrcA1TY1XHy
jMYP0h41ViDdhFNjo3MysuNbTgQT4fHXTjv7YHtF3HqyREP7veoTe6JqjmnQ7mjj
YP4ERbQictk=
=Nwcx
-----END PGP SIGNATURE-----

Reply via email to