On Mon, Feb 22, 2010 at 05:54:48PM +0100, Juergen Schoenwaelder wrote: > Both transport receiver and transport sender implementations MUST > provide means to generate a key pair and self-signed certificate in > the case that a key pair and certificate are not available through > another mechanism. > > I do not know the idea behind this requirement is or how I comply to > it. Is this expressing a requirement for the management interface of > the box? Or is the idea that this is used in some automated fashion > (which likely does not make sense but would be harmful if read this > way).
This text seems to be unchanged in -02 and I still do not know how I implement this MUST. On Unix systems, people use tools such as openssl to create certificates etc. while a syslog implementation would typically links against a DTLS library and would not have itself a builtin option to create a self-signed certificate. So is this text putting up an implementation requirement that a syslog daemon must have a _built-in_ option to create a self-signed certificate? My concern is that key / certificate management is something pretty unrelated to the syslog over DTLS transport implementation itself and hence it is somewhat unclear how to implement the MUST. > The transport receiver and transport sender SHOULD provide mechanisms > to record the end-entity certificate for the purpose of correlating > it with the sent or received data. > > What is an end-entity certificate? And how do I correlate sent or > received data? The second part has been clarified in -02 but I still wonder what an "end entity certificate" is. Probably this is meant: The transport receiver and transport sender SHOULD provide mechanisms to record the certificate or certificate fingerprint of the remote endpoint for the purpose of correlating an identity with the sent or received data. > [...] Once the transport receiver gets a close_notify from the > transport sender, it MUST reply with a close_notify. > > Is it our job to define this? Does DTLS not specify how to handle > such DTLS alerts? I am still wondering why we need to specify this... /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
