<snip> > > [Joe] I don't know that we need to restrict this to a particular > > implementation. I think it would be good to provide a management > > interface to do the generation. It seems that it would be an > > acceptable implementation to auto-generate it as well. > > [Rainer] As long as the syslogd is not required to > auto-generate certs, I am happy enough ;) > > However, I wonder why it would be useful to auto-generate certs. > Probably I am overlooking somehting obvious. But: isn't cert > auto-generation equal to no authentication? After all, if a > *self-signed* cert is generated by the remote peer AND we > accept it, doesn't that essentially mean we accept any peer > because the peer can put whatever it likes into the cert? I > do not see why this is any better than having no cert at all... > [Joe] When I was thinking of auto-generation I was expecting the certificate to be persistent and the fingerprint would be available to be communicated out of band to the verifier. If you generate a new cert each time the process starts and the other side does not know the fingerprint then what you say is true.
> Rainer > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
