Hi Rainer, On Tue, 2 Sep 2008, Rainer Gerhards wrote:
>> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >> Behalf Of [EMAIL PROTECTED] >> Sent: Tuesday, September 02, 2008 8:17 AM >> To: [EMAIL PROTECTED]; [email protected] >> Subject: Re: [Syslog] Need your inputonfinalissueson > draft-ietf-syslog- >> transport-tls >> >> Joseph Salowey wrote: >> >>> [Joe] Today, there are CA's that issue certificates with wildcards >>> in the hostname. It would be good if Syslog implementations could >>> be configured to work with these CA's. It is not required that this >>> support always be enabled. Would the addition help: >>> >>> "The '*' (ASCII 42) wildcard character is allowed in subjectAltName >>> values of type dNSName (and in Common Name, if used), and then only >>> as the left-most (least significant) DNS label in that value. This >>> wildcard matches any left-most DNS label in the server name. That >>> is, the subject *.example.com matches the server names a.example.com >>> and b.example.com, but does not match example.com or >>> a.b.example.com. Implementations SHOULD provide the ability to >>> enable support for these types of wildcards within the host name in >>> the certificate. " >> >> I think this needs to be "Implementations MUST support wildcards in >> certificates as specified above, but MAY provide a configuration >> option to disable them." > > So we require an application to support certificates to identify the > remote peer, go great length to prevent anonymous peers ... and then we > introduce anon peers by allowing wildcards inside the certificate? > Well... if that's really our intension, I'll no longer object it. I just > wonder why we don't simply allow plain anon peers as was suggested by > others and me several times... We have the following for unathenticated sessions: Section 5.3 for Unauthenticated Transport Sender Sectoin 5.4 for Unauthenticated Transport Receiver Section 5.5 for Unauthenticated Transport Receiver and Sender These sections are where we allow for anonymous peers but still use tls as the transport. Thanks, Chris _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
