I agree it might be a good idea to spell out the relationship between the two. We can add a section to syslog-sign, or presumably add a section to both that "mirror" each other. Both have different uses, so I am not sure how much effort should be spent beyond that - I am concerned despite the best intentions, it might turn out to not be really helpful in the end and merely slow things down.
--- Alex -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 16, 2008 8:16 AM To: [EMAIL PROTECTED] Cc: [email protected]; [EMAIL PROTECTED] Subject: Re: [Syslog] transport-tls vs. syslog-sign "Rainer Gerhards" <[EMAIL PROTECTED]> wrote on 05/16/2008 11:06:45 AM: > > [Rainer] > The differences I see is that between the two there are differences in > what modes can be used. For example > > -sign -transport-tls > x.509 yes yes > fingerprints no yes > openPgP yes no > (other) yes (N/A) > > Also, -sign specifies how certificates are distributed (section 5.2, 5.3 > among others). -transport-tls does not talk about certificate > distribution. In fact, -sign focuses very much on the distribution. > ... > > As I outlined in my mail yesterday, -tls cannot really authenticate the > originator. -sign can do that. -sign cannot provide confidentiality. > -tls can do that. So a really secure system would need to utilize both. > Then, it would at least be useful to have the same set of drafts reuse > some ideas. Even the relationship between those two is not spelled > out... I make this distinction on authentication. -tls authenticates the sender of the message. -sign authenticates the contents and creator of the message. Both have their uses, and they are independent concepts. I find in practice that for syslog style operation I am usually satisfied with -tls plus the knowledge that the sender has done whatever is appropriate to ensure that message contents are appropriate. But, there are other syslog situations where that is not a reasonable assumption, and -sign is then needed. R Horn _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
