> > Neither IP address nor hostname are poor identities. The > normal TLS validation proof of possession of the private key > is far stronger. I would recommend against requiring IP > address or hostname checking. > [Joe] Are advocating use of certificate fingerprints (second option)?
> Further I am disturbed at the overly prescriptiveness of this > specification. There is no need to include policy decisions > like key management in this specification. > [Joe] Can you elaborate on this a bit? What text do you find problematic? > John > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf > > Of Rainer Gerhards > > Sent: Wednesday, May 07, 2008 3:40 PM > > To: [email protected] > > Subject: [Syslog] -transport-tls-12, IP addresses > > > > Joe, > > > > [Editor's Note: How useful is it to match against IP address? Do > we > > expect deployments to issue certificates with IP > addresses in them? > > Are IP addresses typically used in configuration? ] > > > > I find this a tough question. In my experience, it is not > uncommon to > > configure forwarding via IP addresses instead of hostnames. > One reason > > for this is because of reliability of the logging system when DNS is > not > > (yet --> system startup) available. On the other hand, I > find it even > a > > bit disturbing to have a certificate issued for an IP > address. But it > > may make sense. I personally would expect that operators > tend to use > > hostnames inside the certificate. The problem, of course, would be > that > > the configuration then needs both the name and IP address... > > > > I hope this is useful information, even though I am undecided. > > > > Rainer > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
