Comments inline. > -----Original Message----- > From: Anton Okmianski (aokmians) [mailto:[EMAIL PROTECTED] > Sent: Monday, March 20, 2006 11:58 PM > To: Miao Fuyou; Chris Lonvick (clonvick); [EMAIL PROTECTED] > Subject: RE: [Syslog] Other syslog-tls Issues---Issue 1 and 2 > > > Miao: > > > -----Original Message----- > > From: Miao Fuyou [mailto:[EMAIL PROTECTED] > > Sent: Sunday, March 19, 2006 9:38 PM > > To: Chris Lonvick (clonvick); [EMAIL PROTECTED] > > Subject: [Syslog] Other syslog-tls Issues---Issue 1 and 2 > > > > > > [Issue 1]: Is it possible to use "generic certificate > for different > > host? > > Yes, this should not precluded. But it would be nice to make > the implications clear in security section. >
Yes, I think so. > > The generic certificate is for specific application type. > > Could be specific to app type. Could be generic across other > aspect of commonality. For example, all hosts of a certain > type (say lab hosts). > > > [Issue 2]: What to bind to a certificate? Hostname, Syslog APP- > > NAME(generic certificate)? > > I think any binding should be allowed. The default or > recommended one could be APP-NAME. > > I think we could communicate the type of binding in the cert > itself or make it completely configurable on hosts. > Communication of type of binding in cert can't be used for > security anyway, just for troubleshooting maybe. > > > APP-NAME binding makes authentication/ > > access control happens both in TLS handshake and Syslog message > > processing, is efficiency a problem? > > Not clear, what authentication is done on APP-NAME as part of > "Syslog message processing". > There are difference between Host name binding and app-name binding when being checked. For host name binding, application can check the binding only based on inforamtion(cert and hostname) at TLS layer and check it once for the session. For app-name binding, application must check information from both TLS(cert) and syslog(app-name). Is app-name consistent/constant for a specific connection? If no, application must check each syslog message against the cert. > Thanks, > Anton. > > > > > > > > > _______________________________________________ > > Syslog mailing list > > [email protected] https://www1.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
