----- Original Message ----- From: "Moehrke, John (GE Healthcare)" <[EMAIL PROTECTED]> To: "Rainer Gerhards" <[EMAIL PROTECTED]>; "Joseph Salowey (jsalowey)" <[EMAIL PROTECTED]>; <[email protected]> Sent: Tuesday, May 27, 2008 12:15 AM Subject: Re: [Syslog] Some revised text for syslog TLS
> I have said this before, but people continue to go down this path... > > The TLS authentication has already proven that the 'other' side holds > the private key... this is cryptographically secure authentication... > True, but authentication of what? This logic says you might as well use naked public/private keys, as SSH does. For me, the point of all the extra hassle of certificates is that the keys are bound to an identity/identifier so you can tell, to some degree (depending on what checks the CA has performed) to whom you are talking. Then it becomes a question of what identifier to use, CN, MAC, etc. At something of a tangent, I see work in RIPE (and the IETF) to use (R)PKI to secure the routing system so it will become possible to authenticate the assignee of an IP address. Not directly applicable, but encouraging both for the use of PKI and for the acceptability of IP addresses therein. Tom Petch > Adding a check of the IP address or DNS address adds very very little > value, and is not cryptographically secure (unless using Secure DNS). > > Therefore there is little value to adding IP or hostname checking, and > lots of ways it will break (NAT, DHCP, etc). > > John > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf > > Of Rainer Gerhards > > Sent: Monday, May 26, 2008 2:19 AM > > To: Joseph Salowey (jsalowey); [email protected] > > Subject: Re: [Syslog] Some revised text for syslog TLS > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
