[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: SoC: Improve syslogd
Jim Wise schrieb:
To be likewise honest, I don't think that fingerprints are the right
level at which to do access control.
I am not totally convinced about them, but willing to give it a try.
At least it was not difficult to implement the necessary check. :)
I would much rather see access control set at the host level, and then
certificates bound to hosts by one of two methods:
a.) a trust chain (preferred) -- a syslog access config file points to
b.) an explicit certificate (worse) -- the syslog config entry
If both of these methods are supported, I think we can support large and
small configs well.
These are actually the two methods a transport-tls implementation will
have to support (at least according to the latest mailing list proposal
The only difference is that method a) gets an additional configurable
subject (so you can configure an IP to connect to and an expected
dNSName to match the certificate against) and in method b) the explicit
certificate MAY be configured as a cert-file and MUST be configurable by
Main Index |
Thread Index |