RE: draft-shafer-netconf-syslog-00.txt

["Rainer Gerhards" <rgerhards@hq.adiscon.com>]

Vincent, 

> Sure. That would be a problem.
> I was thinking of an alternative where the agent generates a new 
> signature of the XML document (the translated syslog message) using 
> XML-DigitalSignature from W3C.
> (Before doing so, the agent may check the original syslog signature.)
> As usual with security considerations, it would be more 
> costly both for:
> - processing time on agent side (check old and generate new 
> signature),
> - storage on the manager side (An XML-DS document might consume more 
> storage than a signed syslog message).

There is an importnat legal issue: AFAIK (I am not a lawyer), this would
be a "derived signature" and not an "original signature". I have been
told that (at least in the US) you need to have an original signature to
use the log as evidence in court. Other voices said that if one can
argue that the derived signature is as good as the original one AND can
proove this point, then it *might* be used as evidence, too. The problem
is that you must very carefully argue that no tampering is possible at
the gateway.

Rainer

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>