I agree with Anton. I would *expect*, however, that on the same client the same cert is used. I would expect that multiple clients also use the same cert (with less likelyhood). I would not outrule any of the "unexpected" cases.
If you look at the current deployments using stunnel, you can find this in practice. Rainer > -----Original Message----- > From: Anton Okmianski (aokmians) [mailto:[EMAIL PROTECTED] > Sent: Friday, February 24, 2006 6:20 AM > To: Miao Fuyou > Cc: [EMAIL PROTECTED] > Subject: RE: [Syslog] Coming to consensus on syslog threats > > Miao: > > > I thinks it is good that all TCP/TLS clients in the same host > > (device, relay or collector) share same client cert. > > It depends on what you want to authenticate. I would mandate > a tie of client identity to identity of the host. > > > My > > further suggestion > > is to resuse > > tls session for all clients in same host. > > While a valid use-case, we cannot mandate a central syslog > agent on host which all clients must use. Each application > should be allowed to function as independent an syslog client IMO. > > > But, I don't think > > the certs can be generic to different hosts, it will weaken > > the security of > > TLS. > > There are legitimate use-case for that. It depends on what > you want to authenticate. For example, if I want to allow > access to my server to all applications of type X which all > share the same certificate even thought they are on different > hosts. In this case, I am authenticating the application > type, not specific client or host. > > Anton. > > _______________________________________________ > Syslog mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
