Hello, just two comments from the implementation perspective. Joseph Salowey (jsalowey) schrieb: > Both transport receiver and transport sender implementations MUST > provide a means to generate a key pair and self-signed certificate in > the case that a key pair and certificate are not available through > another mechanism.
This might be a problem for some implementations. And it is only useful if the generated certificate can be stored. Devices without writable persistant storage would have to generate their certificates on every restart, thus making them useless for authentication. > 4.2.2 Certificate Fingerprints > Both client and server implementations MUST make the certificate > fingerprint for their certificates available through a management > interface. A "management interface" is a broad term. In practice I would implement this by logging the certificate's subject and fingerprint on syslogd startup. (Since the log stream is the only output channel.) -- Martin _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
