The new text looks close. I agree with Rainer that the MUST on checking IP Address should drop to a MAY, or better yet be removed entirely. It could be subsumed within the general ability to check various content fields within the certificate. I find that CN is much more useful. A MAY for CN checking makes much more sense to me.
I think that this is just a leftover from someone's particular use case, rather than based on a real security analysis. Passing the certificate test means that both sides have demonstrated that they know their own private keys. That is the good mandatory check. If either side does not know their own private key you have strong evidence that they are not who they claim to be. The real system will always know its own private keys. IP address is just a special case. Passing the certificate test does not mean 100% certainty for authentication. There is always the risk that the machine has not protected its private keys. They can be stolen and the machine can be penetrated. Perhaps someone could explain why the presence of the IP Address in the certificate should automatically imply that security has been compromised. Plus why does matching IP address in certificate and network eliminate that implication. I can think of special use cases where this is the case, but by making it a MUST the RFC makes this is a global statement. In practice, if the MUST goes through I'll just make formal policy recommendations that healthcare never include IP Address in certificates. This is a reasonable recommendation anyhow. In the present world of NAT, DHCP, IPv6 negotiation, mobile machines, etc. the IP address is rather unstable. It doesn't make sense to put it into certificates. If really pressed, I might mention that there is also a minor bug in the syslog-tls RFC. Kind Regards, Robert Horn | Agfa HealthCare Research Scientist | HE/Technology Office T +1 978 897 4860 Agfa HealthCare Corporation, 100 Challenger Road, Ridgefield Park, NJ, 07660-2199, United States http://www.agfa.com/healthcare/ Click on link to read important disclaimer: http://www.agfa.com/healthcare/maildisclaimer _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
