Miao: > I thinks it is good that all TCP/TLS clients in the same host > (device, relay or collector) share same client cert.
It depends on what you want to authenticate. I would mandate a tie of client identity to identity of the host. > My > further suggestion > is to resuse > tls session for all clients in same host. While a valid use-case, we cannot mandate a central syslog agent on host which all clients must use. Each application should be allowed to function as independent an syslog client IMO. > But, I don't think > the certs can be generic to different hosts, it will weaken > the security of > TLS. There are legitimate use-case for that. It depends on what you want to authenticate. For example, if I want to allow access to my server to all applications of type X which all share the same certificate even thought they are on different hosts. In this case, I am authenticating the application type, not specific client or host. Anton. _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
