Pasi, inline...
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Friday, May 23, 2008 10:08 AM > To: Rainer Gerhards; [email protected] > Subject: RE: [Syslog] fingerprint vs PSK > > > If you have one transport sender and one transport receiver, there's > probably no big difference (except that most TLS implementations, > at least in their official releases, don't support RFC 4279 yet). A very good point indeed. > If you have a large number of transport senders, things get different. > Especially if you're satisfied with authenticating only the server, > PSKs would mean more administrative work (when new clients are added), > since it has to be configured on both ends (while the server > fingerprint needs to be configured only on the new client -- and since > it's not secret, you can e.g. put it in your installation scripts or > instructions). > > (That said, it's clear that fingerprints are not the *only* possible > solution here -- but I'd really like to pick one option that's > good enough and get this document published, rather than spend > lot of time analyzing all the possible solutions.) > Thanks for the explanation. I agree to one good enough solution is fine. I would suggest to add a few sentences on the reasoning to the ID. Rainer > Best regards, > Pasi > > > -----Original Message----- > > From: ext Rainer Gerhards > > Sent: 23 May, 2008 09:44 > > To: [email protected] > > Subject: [Syslog] fingerprint vs PSK > > > > Hi all, > > > > in my implementation effort (now mostly completed), I asked several > > people for advise on implementing fingerprints. In almost all > > cases the > > initial reply was "why use non-standard fingerprints when we > > have PSK"? > > I know that RFC 4279 in section 1.1 says: > > > > If the main goal is to avoid Public-Key Infrastructures (PKIs), > > another possibility worth considering is using self-signed > > certificates with public key fingerprints. Instead of manually > > configuring a shared secret in, for instance, some configuration > > file, a fingerprint (hash) of the other party's public key (or > > certificate) could be placed there instead. > > > > However, I think it would be useful to add some short text why > > fingerprints are more desirable. And the real question is: are they > > actually more desirable? > > > > Rainer > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
