The syslog over TLS document allows for certificates using full path validation and certificate fingerprint matching. The DTLS document takes the same approach. This may not fully address your SHA-1 concern, but it does provide a mechanism to get things up and running without a full PKI.
Also, the GCM cipher suites are not available in DTLS until we complete DTLS 1.2. Other PSK cipher suites could be implemented with DTLS and syslog, the current draft does not restrict them. Joe > -----Original Message----- > From: Richard Graveman [mailto:[email protected]] > Sent: Friday, March 05, 2010 4:22 PM > To: Chris Lonvick (clonvick) > Cc: Joseph Salowey (jsalowey); [email protected] > Subject: Re: [Syslog] New Version: draft-ietf-syslog-dtls-02 > > > I've looked over these changes and feel that they address the WGLC > comments > > that were received. I'd appreciate it if the people who did the reviews > > would also do a check. > > Requiring certificates is a lot of extra baggage for worsened > security. All the commonly encountered certificates today are based on > signatures of weak hash functions, primarily SHA-1. Cipher suites > like: > > 0x00,0xA8 TLS_PSK_WITH_AES_128_GCM_SHA256 [RFC5487] > 0x00,0xA9 TLS_PSK_WITH_AES_256_GCM_SHA384 [RFC5487] > > do not suffer from the twin disease of weak and inefficient security > and ought to be an option, as Tschonfig and Eronen say in 4279: > > ... pre-shared keys may be more convenient from a key > management point of view. For instance, in closed environments > where the connections are mostly configured manually in advance, > it may be easier to configure a PSK than to use certificates. > Another case is when the parties already have a mechanism for > setting up a shared secret key, and that mechanism could be used > to "bootstrap" a key for authenticating a TLS connection. > > This is precisely the environment is which I would expect to find a > lot of syslog, as opposed to "TLS on the Web." > > Rich Graveman _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
