>>>>> "Miao" == Miao Fuyou <[EMAIL PROTECTED]> writes:
Miao> Section 2 identifies masquerade as a major security threat
Miao> for syslog. In the draft, client authentication and server
Miao> authentication are SHOULDs(server authenticaiton may be not
Miao> spelled out explicitly). After reading RFC2818 once again, I
Miao> think the server authentication may have to be a MUST for
Miao> the specification to mitigate the MITM, while client
Miao> authentication (mutual authentication actually) may still be
Miao> kept SHOULD.
You can also decide to document that if you care about MITM you need
authentication. My point was not to change your decisions, simply to
require that you provide an easy way for people to know what security
they are getting based on what they are doing.
I've talked to Russ Housley and we will not take a document to the
IESG that recommends the reuse of private keys, so the generic
certificates section needs to go.
You could talk about how devices could be identified by some component
of a subject name or subject alternative name and such mechanisms can
be used to identify all the devices from a manufacturer; that's true
regardless of whether generic certificates are used or one certificate
per device.
_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
