<inline> Tom Petch ----- Original Message ----- From: "Moehrke, John (GE Healthcare)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 26, 2005 6:07 PM Subject: RE: Why not TLS was Re: [Syslog] Secure substrate - need your input
There is a miss understanding of the information I have seen given by many people on this list regarding TLS. I think this miss understanding is also being applied to SSH. <snip> So, SYSLOG needs to ask do they want to authenticate the user, machine, or both? Tom - yes, agree strongly but I don't know the answer. TLS does support mutual node authentication. The healthcare world has been using mutual-node-authenticated-TLS for over three years. We use it often to ensure that a X-Ray device is actually talking to the Picture Archiving Service. Both systems need to know that they are talking to the right 'other' system. This transaction doesn't need to have user authentication as the process is fully automated. Indeed we don't always turn on TLS encryption. But we do always do mutual-authentication. Yes this means that there is a X.509 certificate managed for both nodes. But this certificate management is not nearly as complex as person-certificates (another discussion we can have on miss-understandings due to the wrong questions being asked). Tom- this one puzzles me. SSH has got server and client authorisation defined in the I-Ds, soon to be RFCs. Reading the TLS I-Ds I see no sign of client authorisation and since that is a must for SNMP, then the note I quoted earlier, to the isms list, saying that SASL would needed alongside TLS made perfect sense (as I would expect since it came from the Security AD:-). So where does mutual authentication come from? What RFC or I-D defines it? Is it a proprietary extension? Is it two simplex transmissions with only server authentication? Sometimes it does matter to know what goes on under the covers. (Of course, if client authentication is not needed then this is academic). <snip> John _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
