Neither IP address nor hostname are poor identities. The normal TLS validation proof of possession of the private key is far stronger. I would recommend against requiring IP address or hostname checking.
Further I am disturbed at the overly prescriptiveness of this specification. There is no need to include policy decisions like key management in this specification. John > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Rainer Gerhards > Sent: Wednesday, May 07, 2008 3:40 PM > To: [email protected] > Subject: [Syslog] -transport-tls-12, IP addresses > > Joe, > > [Editor's Note: How useful is it to match against IP address? Do we > expect deployments to issue certificates with IP addresses in them? > Are IP addresses typically used in configuration? ] > > I find this a tough question. In my experience, it is not uncommon to > configure forwarding via IP addresses instead of hostnames. One reason > for this is because of reliability of the logging system when DNS is not > (yet --> system startup) available. On the other hand, I find it even a > bit disturbing to have a certificate issued for an IP address. But it > may make sense. I personally would expect that operators tend to use > hostnames inside the certificate. The problem, of course, would be that > the configuration then needs both the name and IP address... > > I hope this is useful information, even though I am undecided. > > Rainer > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
