Re: SoC: Improve syslogd

[Martin Schütte <lists%mschuette.name@localhost>]

Jim Wise schrieb:
> To be likewise honest, I don't think that fingerprints are the right 
> level at which to do access control.

I am not totally convinced about them, but willing to give it a try.
At least it was not difficult to implement the necessary check. :)

> I would much rather see access control set at the host level, and then 
> certificates bound to hosts by one of two methods:
>   a.) a trust chain (preferred) -- a syslog access config file points to 
>   b.) an explicit certificate (worse) -- the syslog config entry 
> If both of these methods are supported, I think we can support large and 
> small configs well.

These are actually the two methods a transport-tls implementation will 
have to support (at least according to the latest mailing list proposal 
http://www.ietf.org/mail-archive/web/syslog/current/msg01920.html).

The only difference is that method a) gets an additional configurable 
subject (so you can configure an IP to connect to and an expected 
dNSName to match the certificate against) and in method b) the explicit 
certificate MAY be configured as a cert-file and MUST be configurable by 
its fingerprint.

--
Martin