On Wed, 2006-01-18 at 09:50 -0800, Eric Hibbard wrote: > > Maybe I was not completely clear. I think we should go the TLS route > and > > let the operator decide whether he wants authenticated or > > unauthenticated TLS (or asymmetric authentication, e.g. the server is > > authenticated but the client is not just like in HTTPS) So I fully > agree > > with Rainer on this one.
> > This is a way to go, but it is important to note that the absence of > client-side certificates (authentication) potentially exposes you to > hostile clients attempting to masquerade as a legitimate client. _I_ know this, and I would not recommend doing this in any way :) And of course should be documented in the RFC as well. > It also makes it more difficult to guard against man-in-the-middle attacks. If the server is authenticated then MiTM does not apply, does it? -- Bazsi _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
