tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: SoC: Improve syslogd

Jim Wise schrieb:
To be likewise honest, I don't think that fingerprints are the right level at which to do access control.

I am not totally convinced about them, but willing to give it a try.
At least it was not difficult to implement the necessary check. :)

I would much rather see access control set at the host level, and then certificates bound to hosts by one of two methods: a.) a trust chain (preferred) -- a syslog access config file points to b.) an explicit certificate (worse) -- the syslog config entry If both of these methods are supported, I think we can support large and small configs well.

These are actually the two methods a transport-tls implementation will have to support (at least according to the latest mailing list proposal

The only difference is that method a) gets an additional configurable subject (so you can configure an IP to connect to and an expected dNSName to match the certificate against) and in method b) the explicit certificate MAY be configured as a cert-file and MUST be configurable by its fingerprint.


Home | Main Index | Thread Index | Old Index