>>>>> "Miao" == Miao Fuyou <[EMAIL PROTECTED]> writes:
Miao> Section 2 identifies masquerade as a major security threat Miao> for syslog. In the draft, client authentication and server Miao> authentication are SHOULDs(server authenticaiton may be not Miao> spelled out explicitly). After reading RFC2818 once again, I Miao> think the server authentication may have to be a MUST for Miao> the specification to mitigate the MITM, while client Miao> authentication (mutual authentication actually) may still be Miao> kept SHOULD. You can also decide to document that if you care about MITM you need authentication. My point was not to change your decisions, simply to require that you provide an easy way for people to know what security they are getting based on what they are doing. I've talked to Russ Housley and we will not take a document to the IESG that recommends the reuse of private keys, so the generic certificates section needs to go. You could talk about how devices could be identified by some component of a subject name or subject alternative name and such mechanisms can be used to identify all the devices from a manufacturer; that's true regardless of whether generic certificates are used or one certificate per device. _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog