Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt

["Rainer Gerhards" <rgerhards at hq.adiscon.com>]

> -----Original Message-----
> From: Sam Hartman [mailto:hartmans-ietf at mit.edu]
> Sent: Wednesday, October 28, 2009 3:22 PM
> To: Eliot Lear
> Cc: David Harrington; 'tom.petch'; 'Joseph Salowey (jsalowey)';
> syslog at ietf.org; 'Wes Hardaker'; 'Juergen Schoenwaelder'; 'Huang Min';
> Rainer Gerhards; 'Sharon Chisholm'; alex at cisco.com; 'Glenn M. Keeni';
> 'Miao Fuyou'; 'Anton Okmyanskiy (aokmians)'; akarmaka at cisco.com;
> v.marinov at jacobs-university.de; 'Woundy, Richard'; 'Sumanth
> Channabasappa'; deketelaere at tComLabs.com; enechamkin at broadcom.com;
> 'Richard Graveman'; 'Ong, Lyndon'; 'Andi Kosich'; 'Sam Hartman';
> 'Margaret Wasserman'; 'Jeffrey Hutzelman'
> Subject: Re: [Syslog] FW: I-D Action:draft-ietf-syslog-dtls-00.txt
 
> Why isn't usability sufficient for a MUST in this case?  Here's the
> argument.  Unless turning on security is as easy as not doing so, then
> there is a sigfificant cost to security and we will not get the
> benefits we should.  As a result, especially because there are
> significant passive attacks protected against by using DTLS, the
> security of the protocol will be significantly improved by requiring
> implementations provide a easy-to-enable security solution.
> 
> Generating a self-signed cert on a Mac or Linux box is *not* easy
> compared to running syslogd.
> 
> Sam, with his painless-security.com hat on.

I agree to the argument, but from the technical perspective it is hard to do
this in a typical linux syslogd. The problem is that all "user interface" you
can expect to have is a config file and a text editor. Blindly generating
certificates if they are not specified in the config file is not appropriate,
I think. So the user needs to run an external tool in any case. I fully agree
that openssl is not what we have on our mind when thinking about ease of use.
But any more graphical front end will most probably not be delivered by
default by the distro's package managers. They, for good reason, try to keep
the syslogd footprint to as small as possible. In the end result, a specific
syslogd might support a GUI for certificate generation, but the user will
probably need to run through the process of compiling that functionality from
source, what is also a showstopper for many users.

On the other hand, a small shell script working as a "front end" to openssl
(or whatever) will probably be included in the distro's syslogd (or
syslogd-dtls) package.

For this reason, I would prefer to see a RECOMMENDED, but I definitely would
not object a MUST. However, we need to be aware that there are many parties
involved in making this MUST actually happen, so it will not be much stronger
than a RECOMMENDED in practice.

Rainer