> -----Original Message----- > From: Balazs Scheidler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 21, 2006 5:27 PM > To: Miao Fuyou > Subject: RE: [Syslog] Other syslog-tls Issues---Issue 1 and 2 > > > On Tue, 2006-03-21 at 10:54 +0800, Miao Fuyou wrote: > > > > > > Not clear, what authentication is done on APP-NAME as part of > > > "Syslog message processing". > > > > > > > There are difference between Host name binding and app-name binding > > when being checked. For host name binding, application can > check the > > binding only based on inforamtion(cert and hostname) at TLS > layer and > > check it once for the session. For app-name binding, > application must > > check information from both TLS(cert) and syslog(app-name). > > > > Is app-name consistent/constant for a specific connection? If no, > > application must check each syslog message against the cert. > > > > Definitely no, a single connection will be used to deliver > messages for multiple applications, so the ceritificate > should be bound to the syslog sender and not any individual > applications running on the sender. >
I infer from your sentence that "generic" certificate is not possible. Each TLS connection is associated with only one certificate at most for each direction. However, multiple app-name requires multiple certificate. It conflicts TLS specification. Right? > The question is how the receiver resolves the sender host, > using reverse DNS? or it simply accepts any trusted > certificates no matter what the name is. > I don't think it is a problem, application should decide how to resolves the sender host. > -- > Bazsi > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
