Joe and Chris, the mailing list processor seems to be a bit slow these days. I sent a long note this morning telling that I see value in automatically generated self-signed certs. That mail also outlines when and why.
Please let me know if you did not receive it. Thanks, Rainer > -----Original Message----- > From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] > Sent: Friday, May 09, 2008 6:40 PM > To: Rainer Gerhards > Cc: [email protected] > Subject: RE: -transport-tls-12, section 4.2.3 (fingerprints) > > > <snip> > > > [Joe] I don't know that we need to restrict this to a particular > > > implementation. I think it would be good to provide a management > > > interface to do the generation. It seems that it would be an > > > acceptable implementation to auto-generate it as well. > > > > [Rainer] As long as the syslogd is not required to > > auto-generate certs, I am happy enough ;) > > > > However, I wonder why it would be useful to auto-generate certs. > > Probably I am overlooking somehting obvious. But: isn't cert > > auto-generation equal to no authentication? After all, if a > > *self-signed* cert is generated by the remote peer AND we > > accept it, doesn't that essentially mean we accept any peer > > because the peer can put whatever it likes into the cert? I > > do not see why this is any better than having no cert at all... > > > [Joe] When I was thinking of auto-generation I was expecting the > certificate to be persistent and the fingerprint would be available to > be communicated out of band to the verifier. If you generate a new > cert > each time the process starts and the other side does not know the > fingerprint then what you say is true. > > > Rainer > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
