>>>>> "Rainer" == Rainer Gerhards <[EMAIL PROTECTED]> writes:
Rainer> So I would not like to see client and server
Rainer> authentication to be a MUST. Well ... a MUST for an
Rainer> implementation to have that capability would be OK. But an
Rainer> admin must be capable to configure sender and/or receiver
Rainer> to work without authentication. No matter what we specify
Rainer> in -protocol, that capability will be available in all
Rainer> implementations that I foresee. IMHO an uncoditional MUST
Rainer> would create a false sense of security ... and the most
Rainer> insecure thing is false sense of security.
I'm not asking for mandatory authentication for all the reasons you
cite.
What I'm asking for is
1) Mandatory behavior such that all implementations can work
together. This includes things like if authentication is going to
be optional to implement, then there must be an option not to
require it.
2) A description of what the possibilities are for authentication and
what security properties you actually get based on what options you
select when you deploy syslog.
_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
