Re: [Isms] (D)TLS question #2: expecting a server side certificate

To: <cfinss at dial.pipex.com>
Subject: Re: [Isms] (D)TLS question #2: expecting a server side certificate
From: "Wes Hardaker" <wjhns1 at hardakers.net>
Date: 15 Jul 2009 17:08:00 -0700
Cc: isms at ietf.org
Delivered-to: isms at core3.amsl.com
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>

Thanks for thw pointer to the other discussion Tom, you're right that it's important.  Very in fact since the tlstm document already references it ( and i'd prefer to keep the reference).

-----Original Message-----
From: "tom.petch" <cfinss at dial.pipex.com>
Date: Tuesday, Jul 14, 2009 8:36 am
Subject: Re: [Isms] (D)TLS question #2: expecting a server side certificate
To: Reply-    "tom.petch" <cfinss at dial.pipex.com>To: "David Harrington" <ietfdbh at comcast.net>,	"'Wes Hardaker'" <wjhns1 at hardakers.net>,	<isms at ietf.org>

----- Original Message ----- 
>From: "David Harrington" <ietfdbh at comcast.net>
>To: "'Wes Hardaker'" <wjhns1 at hardakers.net>; <isms at ietf.org>
>Sent: Sunday, July 12, 2009 1:59 AM
> 
> syslog/TLS requires implementation of self-signed certs for when a PKI
> system is not available (either by configuration choice or because the
> device has not yet established conectivity to the PKI).
> 
> I am no expert in PKI and TLS, but my understanding is we have this is
> in syslog because SamH insisted that a non-PKI solution MUST be
> available (when syslog/TLS became a MUST to meet congestion control
> demands of the transport ADs). Pasi agreed and liked the
> fingerprint/self-signed certs for when PKI was not available.
> 
> If I have this wrong, I invite correction by Sam and/or Pasi.
> 
> Without making this a MUST implement for SNMP as well, an SNMP system
> not co-resident with a syslog system might not support the self-signed
> certs, and that means operators would need to use a different
> configuration for the TLS for SNMP-alone vs SNMP+syslog. I think that
> indirectly defeats the purpose of ISMS, which is to simplify the
> security configuration needed for SNMP. Woudn't it be simpler to
> mandate implementation of (but not use of) self-signed certs for
> SNMP/TLS as well?
> 
>
>I agree; we should at least keep syslog and SNMP in line.
>
>I would also encourage anyone listening in to join 
>apps-discuss at ietf.org
>and press for this in the server identification draft, 
>draft-hodges-server-ident-check
>Some on that list are pushing for an http, TLS, PKI solution only,
>whereas I see the I-D as an opportunity to introduce a much-needed,
>wider coherence to the IETF.
>
>Tom Petch
>
>> dbh
> 
> > -----Original Message-----
> > From: Wes Hardaker [mailto:wjhns1 at hardakers.net] 
> > Sent: Saturday, July 11, 2009 1:20 PM
> > To: David Harrington
> > Cc: 'Wes Hardaker'
> > Subject: Re: (D)TLS question #2: expecting a server side certificate
>
>

Prev by Date: Re: [Isms] (D)TLS question #2: expecting a server side certificate
Next by Date: [Isms] comments on draft-nelson-isms-extended-vacm-00
Previous by thread: Re: [Isms] (D)TLS question #2: expecting a server side certificate
Next by thread: [Isms] WG Action: RECHARTER: Integrated Security Model for SNMP (isms)
Index(es):
- Date
- Thread

Re: [Isms] (D)TLS question #2: expecting a server side certificate

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.