Rainer I do not think that Robert or David is suggesting that we standardise this, just that this is close to what already happens when I customise an entry level box, using proprietary tools. (I have even used SNMP to do something like this, it happened to be the protocol that the manufacturer provided).
So yes, I do see this as a viable way forward (but would not want to see more than a passing reference to it, or an overview, in section 5 of the I-D). If such a mechanism is to be standardised, then it should IMO be a pkix-like group, or a non-IETF one focussed on configuration. Tom Petch ----- Original Message ----- From: "Rainer Gerhards" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[email protected]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 14, 2008 8:48 PM Subject: Re: [Syslog] syslog/tls policies and use cases > > > > So I go buy a Linksys or Netgear router or other consumer gear. > > > > I slip the CD into the drive and run software to install the > > > > management GUI on my PC. > > > > That software is used to perform an initial configuration of the > > > > device, such as enabling DHCP, setting WEP keys, and so on. > > > > This same software can presumably generate a key and "copy the > > > > fingerprint" to the device, right? > > > > Clueless operator needs not be involved. The Internet is secure. > > > > > > > > right? > > > > > > Mostly ;) What the clueless user still needs to do is > > > > > > 1) copy the server's fingerprint to the client > > > 2) configure the server to accept the client's fingerprint > > > > > > [Robert] > > Another minor correction. The dumb gear sends its certificate to the > > server, and gets its certificate from the server. (I would > > suggest by a > > reasonably secure means, such as https.) You then use the > > fingerprints to > > make sure that the right certificates were copied. > > > > R Horn > > [Rainer] > But that, of course, requires that we specify a protocol for > certificate/fingerprint exchange. The current draft does not provide > this. And, to be honest, I find that is way too much "just" to get TLS > protected syslog... > > If we do not specify a protocol for certificate copying, I can not > envison how the low end device will copy certificates to e.g. syslog-ng, > MonitorWare, Kiwi, rsyslog, msyslog, WinSyslog, ... They all have quite > different concepts. So my conlusion is that the operator must do it - at > least for the forseable future... > > Even if the copy *could* happen (and it can't), you still need a GUI > frontend for the syslog to display and accept it. Such a GUI is uncommon > for *nix syslogds. > > Rainer > > > > > Rainer > > > > > > > > David Harrington > > > > [EMAIL PROTECTED] > > > > [EMAIL PROTECTED] > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > _______________________________________________ > > > > Syslog mailing list > > > > [email protected] > > > > https://www.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ > > > Syslog mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/syslog > > > > > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
