Hi,
Tom asked for a review of the IESG concerns.
As document shepherd, let me address that question.
This email shows the AD comments as the draft progressed since -11-.
Some WG input was also taken into consideration during the document
revisions.
Following the publication of -11-, Sam Hartman said:
"Dave, the syslog tls document is much clearer and I think it does a
good job of specifying what implementations need to do.
I think this is a huge improvement.
However I have two major problems.
1) The default/recommended configuration requires managed trust
anchors, a working DNS deployment and certificates provisioned to
syslog servers. I do not find it plausible that operators will
actually do this and so I do not find the specification credible.
2) The spec talks about caching of certificates in a manner similar to
ssh, but does not discuss operational concerns such as key
rollover. Jeff, any chance you could help the syslog working
group understand the tradeoffs around leap of faith?
"
Jeff Hutzelman provided expert advice on behalf of Sam:
"I can try. It may be worth noting that I don't think ssh talks much
about
server key rollover, and it certainly isn't done much in practice.
What
does happen is server keys changing because of a machine being
reinstalled
or some similar event. The approaches open to SSH in that case
(prompt the
user, or just notify them and fail so they can fix it and try again)
don't
work so well with syslog, where the originator of a message likely
can't
fix the problem, and the way to notify the person who can is to send a
syslog message!"
Then the AD token passed from Sam to Pasi, who suggested:
"Here's one idea how to handle certificates for TLS in order to make
it reasonably secure (in most cases), yet also deployable:
- When a tranport sender configures the address of transport receiver,
and enables TLS, allow the following choices:
1) configure set of trust anchors, and a name to be matched against
the cert. If the transport receiver address is configured as DNS
name, this name would usually be the same one. If the transport
receiver address is configured as IP address, this one could
be IP address (but could be also a domain name).
(Note: in no situation, the result of A/AAAA or PTR lookup
would be used when checking the certificate. This part of the
current spec isn't correct.)
2) configure the "certificate fingerprint" of the peer (typically
a 40-digit hex string). Cut-and-pasting that from one SSH window
to another isn't the world's friendliest UI, but would be doable
by admins, and is couple of orders of magnitude less work than
setting up a real PKI.
3) configure "anything goes, don't verify the cert" (obviously,
not very secure; SHOULD NOT be done)
- A transport receiver would have similar choices:
1) configure set of trust anchors, and a list of names (or
wildcards matching names) to be matched against the
certificates; everyone listed here would be OK.
2) configure list of certificate fingerprints that are OK.
3) configure list of transport (IP) addresses/netmasks that are
allowed to send messages regardless of the certificate
(obviously, not very secure; SHOULD NOT be done)
- I've intentionally omitted "SSH style leap of faith" (called "MAY
cache the certificate presented by its peer so it can compare the
certificate with what is presented in subsequent connections" in
current spec). .
It could be added (but has some operational issues); or we could
specify slightly similar (but not quite) functionality where instead
of typing in the 40-digit fingerprint, the management interface
would fetch the fingerprint from the peer, show it to the
administrator,
and the admin would then compare it against something (e.g., what
he/she sees in some other SSH window), and confirm that they match.
There are some issues with this, though.... (user studies made with
similar approaches show that most users click "yes, they match" even
when shown two totally different values).
- We probably need to require that everyone must be able to generate a
keypair and self-signed certificate, and calculate/display the
fingerprint of the certificate (in some management interface).
Has something like this (in particular, using the fingerprint in
cases where deploying PKI isn't feasible) suggested before? Do
you think it would be operationally workable?
If you think this might make sense, I can post something on the
mailing list, too. But this is just one preliminary idea -- if
there are other ideas that would solve the issues, I'm in no way
saying it must be done this way."
Joe did a revision which Paso reviewed, and commented:
"Joe: thanks for working on this; I think we're making good
progress, and I'm optimistic that we could get this draft
done soon.
However, some of the TLS/certificate related text in version -11
was *really*...err... unclear, so I think we need to rewrite
it to some extent before taking it to the WG list (fortunately,
the whole text is only two pages, so this shouldn't be
too much effort). We also have an option (fingerprints)
that wasn't present before, so we need to recheck the WG
consensus anyway.
Some proposed text fragments from me (Joe, please feel free
to edit as you like):
4.2
TLS typically uses certificates to authenticate
peers. Authentication and authorization of the TLS server
(transport receiver) is described in Section 4.2.1; authentication
and authorization of the TLS client (transport sender) is described
in Section 4.2.2.
4.2.1 Server authentication/authorization
The transport sender (TLS client) has three different options for
authenticating and authorizing the transport receiver (TLS server):
(Pasi's note: it could be sufficient is one of the following
two is a MUST, and the other one is a SHOULD.)
o Certification path validation and subject name verification: the
client is configured with one or more trust anchors, and for
each transport receiver, the name to be matched against the
certificate. This option MUST be supported.
o Certificate fingerprints: For each transport receiver, the
client
is configured with a fingerprint of the server's certificate
(which can be self-signed). This option MUST be supported.
o No server authentication/authorization: The client is configured
to accept any certificate from the server. This option
MAY be supported, but MUST NOT be enabled by default.
For certification path validation, client implementations MUST
provide a mechanism for configuring one or more trust anchors, and
MUST perform certification path validation as specified in
[RFC3280bis].
For subject name verification, client implementations MUST support
configuring, for each transport receiver, the name to be matched
against the certificate. This name may be the host name or IP
address used when opening the TCP connection, or a distinct host
name (...details of name matching...MUST support DNS names,
probably others can be MAY...)
To support certificate fingerprints, client implementations MUST
support configuring, for each transport receiver, a fingerprint of
the server certificate. See Section 4.2.3 for details.
If server authentication/authorization fails, the client SHOULD log
the error in some form or another (...more text...)
4.2.2 Client authentication/authorization
The transport receiver (TLS server) has three different options for
authenticating and authorizing the transport sender (TLS client).
(Pasi's note: it could be sufficient is one of the following
two is a MUST, and the other one is a SHOULD.)
o Certification path validation and subject name verification:
the server is configured with one or more trust anchors,
and a set of names (or wildcard patterns) to be matched
against the certificates. This option MUST be supported.
o Certificate fingerprints: The server is configured with the
fingerprints of client certificates. This option MUST be
supported.
o No client authentication/authorization (or authorization
based only on connection source IP address): This option MAY
be supported, but MUST NOT be enabled by default.
Certification path validation and subject name verification work
as described in Section 4.2.1 above, with following addition:
(...locally configured client name can be a wildcard; different
from wildcard-in-cert case...)
To support certificate fingerprints, server implementations MUST
support configuring with a list of fingerprints of authorized
certificates. See Section 4.2.3 cor details.
4.2.3 Certificate fingerprints
Both client and server implementations MUST make the certificate
fingerprint available through a management interface. If no other
certificate is configured, both client and server implementations
MUST support generating a key pair and self-signed certificate.
<describe details of certificate fingerprint calculation here.
this should be compatible with the way e.g. current web browsers
calculate fingerprints> "
and after Joe did some additioon revising, Pasi said:
"I'd be interested in getting the WG's opinion on this (in
particular, the fingerprint stuff) as soon as possible."
At this point, Joe revised and published the draft and we brought it
to the WG for comment.
Hope this helps
David Harrington
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
