Mhhh... Wouldn't it then be appropriate to drop these sentences from transport-tls:
### Matching for certificate credentials is performed using the matching rules specified by [3]. ### They created the impression (at least for me), I need to look up the rule in 5280 in order to implement -tls correctly. As you now say, this is not the case (it may be with internationalized names on subject name matching, but it seems not to be in other cases, namely for ipAddress, where it is specified, too). Rainer > -----Original Message----- > From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 29, 2008 3:01 AM > To: Rainer Gerhards; [email protected] > Subject: RE: [Syslog] -transport-tls references to "matching rules" > > The only place 5280 goes into great detail about matching is with > internationalized names. I don't think it specifies any specific rules > for matching the iPaddress within a subjectAltName. This is left up > to > the definition by the application making use of the certificates. I'm > not sure we need to standardize matching behavior unless it affects the > representation within the certificates (for example including wildcards > in the identities). > > Joe > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rainer Gerhards > > Sent: Wednesday, May 28, 2008 8:41 AM > > To: [email protected] > > Subject: [Syslog] -transport-tls references to "matching rules" > > > > Hi, > > > > -transport-tls refers (as [3] to RFC 5280), e.g. "Matching > > for certificate credentials is performed using the matching > > rules specified by [3]." I am revisiting 5280 to find the > > matching rules for ipAddress. However, this is a nearly 150 > > page document and I admit I do not know its ins and outs. It > > would be really helpful if a section is mentioned inside the > > reference so that one can quickly look up the rules. > > > > And, a hopefully quick question, where do I find the rules > > for ipAddress? I was unable to bring it up on a quick look. > > > > Thanks, > > Rainer > > _______________________________________________ > > Syslog mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/syslog > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
