On Aug 7, 2008, at 12:31 PM, <[EMAIL PROTECTED]> wrote:
Martin Schütte wrote:
I think this is mainly a compatibility concern for users who have
existing PKIX certificates with RSA keys and want to use them for
TLS and for signing. When creating new keys for syslog-sign then
DSA or ECDSA are clearly preferable.
Or existing *CAs* (inside enterprises etc.) that certify only RSA
keys (not because there's anything wrong with DSA, but because they
thought nobody would need it).
Yes, but. The existing design and consensus on syslog-sign is that's a
DSA system, and doesn't require a CA. The rationale, as I said before
comes from the days when syslog meant UDP, and size truly mattered.
That may not matter so much today, especially if you're using TLS as a
transport.
But that's what the existing consensus is. Do we have to, at this late
date, throw out the existing consensus and put in RSA and CAs?
Jon
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
