Re: [Syslog] Syslog-sign-26

To: Pasi.Eronen at nokia.com
Subject: Re: [Syslog] Syslog-sign-26
From: WashamFan <Washam.Fan at huaweisymantec.com>
Date: Thu, 18 Jun 2009 11:45:19 +0800
Cc: syslog at ietf.org
Delivered-to: syslog at core3.amsl.com
In-reply-to: <808FD6E27AD4884E94820BC333B2DB773A6B0FAA15 at NOK-EUMSG-01.mgdnok.nokia.com>
List-archive: <http://www.ietf.org/mail-archive/web/syslog>
List-help: <mailto:syslog-request@ietf.org?subject=help>
List-id: Security Issues in Network Event Logging <syslog.ietf.org>
List-post: <mailto:syslog@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
Priority: normal
References: <85B2F271FDF6B949B3672BA5A7BB62FB07E6021E at xmb-sjc-236.amer.cisco.com> <808FD6E27AD4884E94820BC333B2DB773A6B0FAA15 at NOK-EUMSG-01.mgdnok.nokia.com>

Hi, 

It seems to me that both "originator" and "signer" are identified
by (HOSTNAME, APP-NAME, PROCID) triple. So how to understand
an originator across multiple signers?

In the other hand, does it make sense a signer across multiple
originators. Imagine that, a syslog daomon collects logs from 
multiple applications with different APP-NAME per application,
and the syslog daemon signs all the logs with different APP-NAMEs
In that case, does each originator exchange its cert blocks
independently?

washam

----- Original Message -----
From: Pasi.Eronen at nokia.com
Date: Thursday, June 18, 2009 1:45 am
Subject: Re: [Syslog] Syslog-sign-26
To: alex at cisco.com
Cc: syslog at ietf.org


> Hi Alex,
>  
>  Thanks for the explanation - it did indeed clarify things, and seems 
> to provide a simple way to fix the situation!
>  
>  The word "originator" comes from RFC 5424, and the current version of 
> syslog-sign seems to assume that originator both originates normal 
> syslog messages *and* signs them (originates Signature/Certificate 
> Block messages). But your explanation -- a single originator (of 
> normal syslog messages) could even have multiple signers (with 
> different APP-NAME,PROCID) that sign the *same* normal syslog messages 
> (with different algorithms) -- would seem to clarify things.
>  
>  However, this does require some changes to the draft, right? 
> (introducing the term "signer", and replacing some instances of 
> "originator" with "signer")
>  
>  Best regards,
>  Pasi
>  
>  
>  From: ext Alexander Clemm (alex) [mailto:alex at cisco.com]
>  Sent: 12 June, 2009 09:28
>  To: Eronen Pasi (Nokia-NRC/Helsinki)
>  Cc: syslog at ietf.org
>  Subject: Re: Syslog-sign-26
>  
>  Hello Pasi,
>  
>  I guess any confusion stems from the use of the word "originator".  
> Therefore, let me use the term "signer" for the purposes of this 
> discussion.  A signer signs syslog-messages using a specific 
> algorithm; it is an "originator" of syslog-sign messages.  A single 
> host can host multiple signers, which then each use their own 
> Signature Groups and algorithms.  The syslog-sign messages can be 
> attributed to a specific signer using (HOSTNAME, APP-NAME, PROCID).  
> Section 7 does say that you can separate syslog-sign messages 
> according to signer, using this triple.  (It is the syslog-sign 
> messages you are concerned about; you separate the syslog-sign 
> messages by signers.  You can separate the "normal" messages by virtue 
> of who signed them.)  So, in summary, the ability to be able to use 
> different algorithms to sign messages is supported, but the 
> corresponding syslog-sign messages need to use different 
> (HOSTNAME,APP-NAME,PROCID) to be able to distinguish which is used where.
>  
>  Now, the question is whether to equate "signer" with "originator".  
> If you equate them, then each signer would be considered its own 
> originator of its own syslog messages.  However, you can also simply 
> regard it from the perspective that the same originator can in effect 
> incorporate multiple signers, if wanting to use multiple algorithms 
> concurrently.   It doesn't really matter - just like with "normal" 
> syslog messages without syslog sign you don't really distinguish if 
> there are multiple originators on the same host or only one - the 
> syslog message does not contain an "originator-ID" but 
> (HOSTNAME/APP-NAME/PROCID. ) In the end, the effect is the same: you 
> support the ability to sign messages using different algorithms from 
> the same host.
>  
>  Does this clarify?
>  --- Alex
>  
>  
>  Pasi Eronen wrote:
>  "Hmmm... the major challenge in -25 was that although Payload/Signature
>  Block identify the originator (HOSTNAME,APP-NAME,PROCID), normal
>  syslog messages do not. So it seems you cannot separate the stored
>  log files by originator, and process the parts one by one.
>  
>  If I understand you right, you're saying Section 7 does *not*
>  in fact assume that you can separate the normal syslog messages
>  by originator?
>  
>  BTW, version -26 is still silent about whether a single originator
>  can sign the same set of messages using different algorithms (VER),
>  and if it can, whether these are same Signature Groups (with same
>  message number space) or different. What's your proposal for
>  addressing this -- or do you think signing using multiple algorithm
>  doesn't have to be supported?"
>  
>  
> _______________________________________________
>  Syslog mailing list
>  Syslog at ietf.org
>  https://www.ietf.org/mailman/listinfo/syslog
>

Follow-Ups:
- Re: [Syslog] Syslog-sign-26
  - From: Pasi.Eronen

References:
- Re: [Syslog] Syslog-sign-26
  - From: Alexander Clemm (alex)
- Re: [Syslog] Syslog-sign-26
  - From: Pasi.Eronen

Prev by Date: [Syslog] config params for cert block[Was:Re: Comments on syslog-sign-26]
Next by Date: [Syslog] GBC field [Was:Re: Comments on syslog-sign-26]
Previous by thread: Re: [Syslog] Syslog-sign-26
Next by thread: Re: [Syslog] Syslog-sign-26
Index(es):
- Date
- Thread

Re: [Syslog] Syslog-sign-26

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.