On Fri, 2002-11-08 at 16:05, Christopher Lonvick wrote: > On 5 Nov 2002, Frank O'Dwyer wrote: [...] > > and in particular for having collectors and/or relays use > > syslog-sign "on behalf of" a peer connected via syslog-rel. Are proxy > > signatures of this type envisaged, and if so are they within the scope > > of syslog-sign? > > I hadn't thought of a relay/proxy being able to sign traditional messages > from another device. I don't think that's a particularly good idea as the > original syslog messages may be so easily spoofed. I am, however, very > open to a discussion on this. Thoughts from others? Just a quick clarification on this - I had in mind that this would only occur if the original device authenticated itself when connecting over syslog-rel. Otherwise, as you say, it definitely doesn't make sense. Specifically I had in mind that the client would use something like a one-time password derived from a shared secret, or simply use a password+TLS. (I am assuming that SASL supports such mechanisms, I haven't actually looked yet.)
Cheers, Frank
