Hi all, in my implementation effort (now mostly completed), I asked several people for advise on implementing fingerprints. In almost all cases the initial reply was "why use non-standard fingerprints when we have PSK"? I know that RFC 4279 in section 1.1 says:
If the main goal is to avoid Public-Key Infrastructures (PKIs), another possibility worth considering is using self-signed certificates with public key fingerprints. Instead of manually configuring a shared secret in, for instance, some configuration file, a fingerprint (hash) of the other party's public key (or certificate) could be placed there instead. However, I think it would be useful to add some short text why fingerprints are more desirable. And the real question is: are they actually more desirable? Rainer _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
