Re: [Syslog] Syslog-sign: Certificate chains?

To: "Jon Callas" <jon at callas.org>
Subject: Re: [Syslog] Syslog-sign: Certificate chains?
From: "Rainer Gerhards" <rgerhards at hq.adiscon.com>
Date: Thu, 24 Jul 2008 12:49:42 +0200
Cc: syslog at ietf.org
Delivered-to: ietfarch-syslog-web-archive at core3.amsl.com
Delivered-to: syslog at core3.amsl.com
In-reply-to: <3E9E1070-3E11-4AA7-B8B3-DF8FA6DF8769@callas.org>
List-archive: <http://www.ietf.org/pipermail/syslog>
List-help: <mailto:syslog-request@ietf.org?subject=help>
List-id: Security Issues in Network Event Logging <syslog.ietf.org>
List-post: <mailto:syslog@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB720134FF5F@vaebe104.NOE.Nokia.com> <3E9E1070-3E11-4AA7-B8B3-DF8FA6DF8769@callas.org>
Sender: syslog-bounces at ietf.org
Thread-index: AcjtC6+M/TXKX0meSIiBpHVB7cfh8gAbsQDA
Thread-topic: [Syslog] Syslog-sign: Certificate chains?

I think the core point is that trust models in -sign and -transport-TLS
are quite different. At least, I think, it would be useful to provide a
mapping between the two.

Rainer

> -----Original Message-----
> From: syslog-bounces at ietf.org [mailto:syslog-bounces at ietf.org] On
> Behalf Of Jon Callas
> Sent: Wednesday, July 23, 2008 8:45 PM
> To: <Pasi.Eronen at nokia.com>
> Cc: syslog at ietf.org
> Subject: Re: [Syslog] Syslog-sign: Certificate chains?
> 
> 
> On Jul 23, 2008, at 5:27 AM, <Pasi.Eronen at nokia.com>
> <Pasi.Eronen at nokia.com
>  > wrote:
> 
> >
> > Most IETF protocols that send certificates around support sending
> > certificate chains, too. Should syslog-sign support this, too?
> > If not, why?
> 
> The model is for a more direct trust system where the certificate
> transfered is its own trust anchor. So if I am going to send you a log
> stream that I'll be signing with a certificate, I just send you the
> cert that I'm signing with. There's no need for a chain. Perhaps that
> cert descends from a formal CA and that may contain its own goodness,
> but it is not necessary.
> 
> 	Jon
> 
> 
> _______________________________________________
> Syslog mailing list
> Syslog at ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
_______________________________________________
Syslog mailing list
Syslog at ietf.org
https://www.ietf.org/mailman/listinfo/syslog

References:
- [Syslog] Syslog-sign: Certificate chains?
  - From: Pasi.Eronen
- Re: [Syslog] Syslog-sign: Certificate chains?
  - From: Jon Callas

Prev by Date: [Syslog] Syslog-sign: Editorial nits, part 2
Next by Date: Re: [Syslog] Syslog-sign: RSA support?
Previous by thread: Re: [Syslog] Syslog-sign: Certificate chains?
Next by thread: Re: [Syslog] Syslog-sign: Certificate chains?
Index(es):
- Date
- Thread

Re: [Syslog] Syslog-sign: Certificate chains?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.