Hi Rainer,
On Mon, 18 Dec 2006, Rainer Gerhards wrote:
Hi,
So far, I have not been able to do a full review. But this triggers my
attention immediately...
Perhaps restructure that as:
A Signature Block message that is compliant with RFC xxxx
[14] MUST
contain valid APP-NAME, PROCID, and MSGID fields.
Specifically, the
value for APP-NAME MUST be "syslog" (without the double quotes).
The value for MSG-ID MUST be "sig" (without the double
quotes). The
value for the PRI field MSUT be 110, corresponding to facility 13
and severity 6 (informational). The Signature Block is carried as
Structured Data within the Signature Block message, per the
definitions that follow in the next section.
Similar in Section 5.3.1.
Syslog-protocol does not reserve any specific values for APP-NAME,
PROCID and MSGID. So (at least theoretically), another implementor migth
use the suggested values for any other case.
As an implementor, I would probably like to consistenly use the same
APP-NAME. For example, all messages in rsyslog will be logged as
"rsyslogd".
I have just quickly read the IANA section (9.1): there is no such
registry like "APP-NAME". It might eventually be a good idea to create
one, but I am not sure if it is worth the trouble. In any case, I think
that must be spelled out in -protocol (else I can implement somthing
compliant to -protocol but not -sign). Same goes for MSGID.
My recommendation (without a full read of the document...) is to remove
any dependencies on APP-NAME, PROCID and MSGID and use structured data
fields for them. Otherwise, I foresee that I need a lot of hardcoded
exception inside a syslog implementation to "mangle" this fields so that
the happen to be right for -sign while they are invalid from the overall
application point of view.
We're going to have "ssign" and "ssign-cert" as the SD-IDs used for
syslog-sign. I don't think that there are any dependencies on APP-NAME,
PROCID and MSGID for the proper working of syslog-sign; they're just there
to make sure that these messages are placed consistently into the right
bins. The "ssign" and "ssign-cert" SD-IDs will be reserved for this.
--
Version field: I recommend renaming it to something like "Sig-Version"
to avoid mistaking -protocol VERSION and -sign Version.
There are actually two "Version" fields. The first is an SD-Param called
"VER" in the SD-ID of ssign. The second is an SD-Param, also called
"VER", in ssign-cert. This type of duplication is acceptable in the rules
of syslog-protocol. I can't think of any way that it could be confused
with the version number in the header of the syslog message.
--
I hope I will be able to do a full review by the end of the week.
Looking forward to it.
Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog