Chris, > I'm still not seeing too many responses about how TLS is authenticated. > Only Baszi has said that full X.509 certificates should be used - similar > to how they are used in stunnel. Is this acceptable to the WG? Should > the WG also consider using PSKs as proposed in RFC 4279? > > Having authenticated TLS will address many of the threats described in RFC > 3164. Is this how the Working Group wants to proceed? I'd like to hear > from more people on this.
I think supporting TLS and all of its authentication options is what we should do in our documentation. Or to put it another way, we shouldn't worry ourselves with restricting use of TLS to a particular authentication model, be it PSK or X.509 or something else. What we should be doing is letting systems people use whatever they feel comfortable with and are already deploying...which makes me think, we need to be saying "authentiation style(s) X must be included", to set a minimum level of interoperability between all implementations. I believe that minimum level should be PSK as anything certificate orientated can quickly become complicated, not just for management but initial use. So to express this in RFC terms, TLS PSK MUST be supported, TLS .... SHOULD be supported, TLS ...... Darren _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
