Date: Tue, 29 Jul 1997 21:11:23 -0400 (EDT) From: Adam Shostack <adam@homeport.org> To: robert+freebsd@cyrus.watson.org Cc: security@FreeBSD.ORG, adam@homeport.org, rgrimes@GndRsh.aac.dev.com, dholland@eecs.harvard.edu Subject: Re: secure logging (was: Re: security hole in FreeBSD) Message-ID: <199707300111.VAA16730@homeport.org> In-Reply-To: <Pine.BSF.3.95q.970728151940.3342I-100000@cyrus.watson.org> from Robert Watson at "Jul 28, 97 03:29:43 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: | Is there any concensus on the use of DNSsec in the network community, as | it has not yet been made widely available (or at least, it is available, | but not largely used.) The key namespace here could be used however one | desired, nor necessarily in a DNS-style way. The entity-name, whatever | that is, simply suggests which key/algorithm should be used, a server | could be configured to pull that information from DNSsec, or from an | internal key-file (or both.) I don't trust the DNS right now. I also don't see a need to put keys there for local use. Use ssh to distribute them. :) | An ACK message has already been stated as desirable -- would a simple | signature over the last packet (or header + signature) using the shared | secret, entity public key, or whatever, back on the TCP connection | suffice? Maybe something lighter-weight? I'm leaning to acks being simpler than involving the last packet, and towords them involving just a sequence number: ACK log://somehost.evil.net:234566, HMAC Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707300111.VAA16730>