> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Martin Schütte > Sent: Saturday, May 10, 2008 10:33 AM > To: [email protected] > Subject: [Syslog] why fingerprints? (Re: > I-DAction:draft-ietf-syslog-transport-tls-12.txt) > > > o Certificate fingerprints: For each transport > receiver, the client > > is configured with a fingerprint of the server's certificate > > (which can be self-signed). This option MUST be supported. > > Am I the only one who finds this whole fingerprint option > completely unnecessary? > Is this practice actually used somewhere? I have not heard > about this before and get the impression it is only a bad > substitute for copying the peer's certificate. > [Joe] Fingerprints are essentially equivalent to obtaining the peers certificate. The main advantage a fingerprint has is that it is easier both communicate and perform comparison when a human being is involved. The main reason for specifying the format is so something that is exported from one implementation can be input into another. As has been pointed out on the list there can be other ways of obtaining the necessary peer certificate information. To some user communities fingerprints would be familiar and convenient.
Certificate fingerprints are used in several places today. For example, in most web browsers you can view the fingerprint of a server certificate. In addition SSH uses a similar fingerprint concept for public keys without X.509 certificates. > -- > Martin > > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
