Replying to myself, I have just read draft-ietf-syslog-transport-tls-12.txt which covers an almost identical territory to transport-tls with server and client roles reversed; worth a read.
Where we referred to RFC2818, it refers to RFC4642 (which itself considers relays). It has a reference to RFC5280 and specifies section 6 for certificate paths. It does not consider fingerprinting. It does not consider alternatives to hostname. And as I have said before, I see a crying need for a generic 'application over ...' I-D for others to draw on and reference, so we do not keep inventing our (square?) wheels. Tom Petch ----- Original Message ----- From: "tom.petch" <[EMAIL PROTECTED]> To: "Rainer Gerhards" <[EMAIL PROTECTED]>; "Joseph Salowey (jsalowey)" <[EMAIL PROTECTED]> Cc: <[email protected]> Sent: Thursday, May 29, 2008 4:15 PM Subject: Re: [Syslog] -transport-tls references to "matching rules" > I think that the I-D has got a bit mangled. > > I liked, and may have been responsible for, the reference to RFC2818 as being an > example of the checks to perform on a certificate, written about a well-known > application by someone familiar with TLS:-) This was the basis for our > validation rules, CN deprecated, subjectAltName must be used as an identity etc > and it helped (me) to know where they came from. > > The mention of certificates warranted a reference and that was provided by > RFC3280. This reference was never about validation rules. > > We did not used to have certificate path validation. We do now and I do not > know a good reference for it; I agree that RFC3280 et seq is not it. This lack > I see as a(nother?) deficiency on the part of the security engineers:-( > > Tom Petch > > ----- Original Message ----- > From: "Rainer Gerhards" <[EMAIL PROTECTED]> > To: "Joseph Salowey (jsalowey)" <[EMAIL PROTECTED]> > Cc: <[email protected]> > Sent: Thursday, May 29, 2008 8:21 AM > Subject: Re: [Syslog] -transport-tls references to "matching rules" > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
