"Rainer Gerhards" <[EMAIL PROTECTED]> wrote on 05/16/2008 11:06:45 AM:
> > [Rainer] > The differences I see is that between the two there are differences in > what modes can be used. For example > > -sign -transport-tls > x.509 yes yes > fingerprints no yes > openPgP yes no > (other) yes (N/A) > > Also, -sign specifies how certificates are distributed (section 5.2, 5.3 > among others). -transport-tls does not talk about certificate > distribution. In fact, -sign focuses very much on the distribution. > ... > > As I outlined in my mail yesterday, -tls cannot really authenticate the > originator. -sign can do that. -sign cannot provide confidentiality. > -tls can do that. So a really secure system would need to utilize both. > Then, it would at least be useful to have the same set of drafts reuse > some ideas. Even the relationship between those two is not spelled > out... I make this distinction on authentication. -tls authenticates the sender of the message. -sign authenticates the contents and creator of the message. Both have their uses, and they are independent concepts. I find in practice that for syslog style operation I am usually satisfied with -tls plus the knowledge that the sender has done whatever is appropriate to ensure that message contents are appropriate. But, there are other syslog situations where that is not a reasonable assumption, and -sign is then needed. R Horn _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
