Hay all, Aside from my remarks on the draft RFC (see another mail), I want to propose to allow other hash/sign algorithms as well.
Currently only SHA1/DSA is allowed to compute a signature. Those algorithm's are secure. But, the are also very expensive, in CPU cycles! I have implemented a very-very draft version of syslog-sign, and run in on a 386 CPU (40Mhz). It takes ages! The first testrun showed: 33 minutes to compute the key, and 4.7 seconds to sign ONE message! More timing is being generated, as I write this mail. Now the system is otherwise idle, time is 50% faster, but still over 1 second/signature! This means syslog-sign is near-worthless on small (CPU poor) or real-time systems! ============================================================================ ====== When the hardware can't afford expensive security, the options is no encryption or fast/less-secure encryption. I prefer syslog-sign with "simple" crypto algorithms over no security at all (by using normal syslog)! To make this possible, we should add alternative crypto algorithms in the syslog-sign rfc. At least one, better several ones. Then an implementator/user has a choose: syslog, simple-signing more secure signing, etc. Remember, we aren't the one that makes chooses. The implementers is. He can choose to follow the rfc or not! I think we should allow (keyed)MD5, as MD5 is already used a lot in "small systems", for hashing. As alternative for SHA, we can use SHA-512, SHA-265 (smaller key's), and probably also DES, 3DES en more. Problem with (3)DES (with I guess is a lot faster) is that they aren't asymmetric. So we can't publish a public key. However, syslog-sign already has an option for "key distributed separately"; which we probably can use. Currently I don't have a good overview of alternative's for SHA (with seems to be the bottleneck). But I will investigate. Comment's are welcome. Hope, this premature timings will make clear only allowing SHA1/DSA isn't going to make syslog more secure! --ALbert sent mail to [EMAIL PROTECTED], to address me personal. sent mail to [EMAIL PROTECTED], to address me for businesses
