> > > So I go buy a Linksys or Netgear router or other consumer gear. > > > I slip the CD into the drive and run software to install the > > > management GUI on my PC. > > > That software is used to perform an initial configuration of the > > > device, such as enabling DHCP, setting WEP keys, and so on. > > > This same software can presumably generate a key and "copy the > > > fingerprint" to the device, right? > > > Clueless operator needs not be involved. The Internet is secure. > > > > > > right? > > > > Mostly ;) What the clueless user still needs to do is > > > > 1) copy the server's fingerprint to the client > > 2) configure the server to accept the client's fingerprint > >
> [Robert] > Another minor correction. The dumb gear sends its certificate to the > server, and gets its certificate from the server. (I would > suggest by a > reasonably secure means, such as https.) You then use the > fingerprints to > make sure that the right certificates were copied. > > R Horn [Rainer] But that, of course, requires that we specify a protocol for certificate/fingerprint exchange. The current draft does not provide this. And, to be honest, I find that is way too much "just" to get TLS protected syslog... If we do not specify a protocol for certificate copying, I can not envison how the low end device will copy certificates to e.g. syslog-ng, MonitorWare, Kiwi, rsyslog, msyslog, WinSyslog, ... They all have quite different concepts. So my conlusion is that the operator must do it - at least for the forseable future... Even if the copy *could* happen (and it can't), you still need a GUI frontend for the syslog to display and accept it. Such a GUI is uncommon for *nix syslogds. Rainer > > > Rainer > > > > > > David Harrington > > > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] > > > [EMAIL PROTECTED] > > > > > > > > > > > > _______________________________________________ > > > Syslog mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
