Currently, Section 8.9 simply says that "Network administrators need to verify that the key contained in the Payload Block is indeed the key being used on the actual originator."
I think something more is needed to get interoperable implementations. E.g., in syslog-transport-tls, there's text talking about configuration of trust anchors, certification path validation, and matching subject names against some preconfigured values (although here matching against HOSTNAME could be possible, too). If this draft is intended to be used without real PKI (as Jon Callas's mail yesterday suggested), then something resembling the fingerprint mechanism -- or at least some description of how things are supposed to work -- could be needed, too. Best regards, Pasi _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
