If you have one transport sender and one transport receiver, there's probably no big difference (except that most TLS implementations, at least in their official releases, don't support RFC 4279 yet).
If you have a large number of transport senders, things get different. Especially if you're satisfied with authenticating only the server, PSKs would mean more administrative work (when new clients are added), since it has to be configured on both ends (while the server fingerprint needs to be configured only on the new client -- and since it's not secret, you can e.g. put it in your installation scripts or instructions). (That said, it's clear that fingerprints are not the *only* possible solution here -- but I'd really like to pick one option that's good enough and get this document published, rather than spend lot of time analyzing all the possible solutions.) Best regards, Pasi > -----Original Message----- > From: ext Rainer Gerhards > Sent: 23 May, 2008 09:44 > To: [email protected] > Subject: [Syslog] fingerprint vs PSK > > Hi all, > > in my implementation effort (now mostly completed), I asked several > people for advise on implementing fingerprints. In almost all > cases the > initial reply was "why use non-standard fingerprints when we > have PSK"? > I know that RFC 4279 in section 1.1 says: > > If the main goal is to avoid Public-Key Infrastructures (PKIs), > another possibility worth considering is using self-signed > certificates with public key fingerprints. Instead of manually > configuring a shared secret in, for instance, some configuration > file, a fingerprint (hash) of the other party's public key (or > certificate) could be placed there instead. > > However, I think it would be useful to add some short text why > fingerprints are more desirable. And the real question is: are they > actually more desirable? > > Rainer > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
