tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd



On Mon, May 26, 2008 at 7:22 PM, Martin Schütte 
<lists%mschuette.name@localhost> wrote:
>> A sane default behaviour would be to use
>> the entry and protocol from the config file and match that against the
>> certificate. E.g. look for sctp://example.net as common name.
>
> I do not think the used transport protocol should be part of a x.509
> certificate. Checks will be against the common name and the subjectAltName
> with DNS and IP entries.

I concur. Checking the protocol is also not included in the upcoming
standard - because there are no different protocol choices in it.

What I do still not fully understand (now) is how you would like to
have a client authenticate the server. Just based on the @@<hostname>.
If so, how do you do fingerprints?

Or do you want to use the same set of permissions for both client and
server operations? e.G. if you intend to send to host
server.example.net, you will also accept incoming connections from it?
I understand you desire for a simple design (and think you have a good
point with it), but I think at least sender and receiver permissions
must be different. For example, I would be very suspicious about a
server that I am sending to connecting back to me. This smells like a
loop.

As a side-note, have you already made up your mind which TLS library
you will probably use?

Rainer


Home | Main Index | Thread Index | Old Index