>>>>> "Eliot" == Eliot Lear <[email protected]> writes:
Eliot> Why is this necessary? Isn't it sufficient to import and
Eliot> make use of a self-signed certificate? Isn't it easy
Eliot> enough to run OpenSSL on a Mac or linux box and import the
Eliot> stuff? I could see an argument for usability concerns, but
Eliot> that's not sufficient grounds for a MUST.
Eliot> An aside about your 2119 language: I haven't reviewed all
Eliot> of it, nor am I an 2119 expert, but I can say that you will
Eliot> confuse people when you use MUST, SHALL, and REQUIRED.
Eliot> Section 5.3.2, 2nd para, last sentence:
>> The security parameters SHOULD be checked against the security
>> requirements of the requested session to make sure that the
>> resumed session provides proper security.
Eliot> I think what you are aiming at here is a downgrade attack.
Eliot> First, isn't this covered in DTLS? Otherwise, here I would
Eliot> argue for a MUST, and I would be more clear about what you
Eliot> are protecting against, such as the following:
>> In order to avoid downgrade attacks, an exiting session MUST
>> NOT be reused if its protection does not match the minimum
>> policy requirements of the new SYSLOG over DTLS session
>> request.
Eliot> Editorial:
Eliot> Same section ABNF: is it not customary to use lower case,
Eliot> particularly for non-terminals?
Eliot> Again, thanks to the authors for putting this out there.
Eliot> Eliot
Why isn't usability sufficient for a MUST in this case? Here's the
argument. Unless turning on security is as easy as not doing so, then
there is a sigfificant cost to security and we will not get the
benefits we should. As a result, especially because there are
significant passive attacks protected against by using DTLS, the
security of the protocol will be significantly improved by requiring
implementations provide a easy-to-enable security solution.
Generating a self-signed cert on a Mac or Linux box is *not* easy compared to
running syslogd.
Sam, with his painless-security.com hat on.
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
