Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls

To: <Pasi.Eronen at nokia.com>, <jsalowey at cisco.com>, <syslog at ietf.org>
Subject: Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls
From: "Rainer Gerhards" <rgerhards at hq.adiscon.com>
Date: Tue, 2 Sep 2008 08:21:59 +0200
Delivered-to: ietfarch-syslog-web-archive at core3.amsl.com
Delivered-to: syslog at core3.amsl.com
In-reply-to: <1696498986EFEC4D9153717DA325CB720180DD7D at vaebe104.NOE.Nokia.com>
List-archive: <http://www.ietf.org/pipermail/syslog>
List-help: <mailto:syslog-request@ietf.org?subject=help>
List-id: Security Issues in Network Event Logging <syslog.ietf.org>
List-post: <mailto:syslog@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
References: <Pine.GSO.4.63.0808271447300.21476 at sjc-cde-011.cisco.com><48B631D1.4050206 at mschuette.name><AC1CFD94F59A264488DC2BEC3E890DE5066AFAC8 at xmb-sjc-225.amer.cisco.com><577465F99B41C842AAFBE9ED71E70ABA44F068 at grfint2.intern.adiscon.com><AC1CFD94F59A264488DC2BEC3E890DE50670E07D at xmb-sjc-225.amer.cisco.com> <1696498986EFEC4D9153717DA325CB720180DD7D at vaebe104.NOE.Nokia.com>
Sender: syslog-bounces at ietf.org
Thread-index: AckIy47NvV7xzenQQDKNc41GXr+xoAABwRNQANzwHLAAGmyaQAAE0I9AAAAfWPA=
Thread-topic: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls

> -----Original Message-----
> From: syslog-bounces at ietf.org [mailto:syslog-bounces at ietf.org] On
> Behalf Of Pasi.Eronen at nokia.com
> Sent: Tuesday, September 02, 2008 8:17 AM
> To: jsalowey at cisco.com; syslog at ietf.org
> Subject: Re: [Syslog] Need your inputonfinalissueson
draft-ietf-syslog-
> transport-tls
> 
> Joseph Salowey wrote:
> 
> > [Joe] Today, there are CA's that issue certificates with wildcards
> > in the hostname.  It would be good if Syslog implementations could
> > be configured to work with these CA's.  It is not required that this
> > support always be enabled.  Would the addition help:
> >
> > "The '*' (ASCII 42) wildcard character is allowed in subjectAltName
> > values of type dNSName (and in Common Name, if used), and then only
> > as the left-most (least significant) DNS label in that value.  This
> > wildcard matches any left-most DNS label in the server name.  That
> > is, the subject *.example.com matches the server names a.example.com
> > and b.example.com, but does not match example.com or
> > a.b.example.com.  Implementations SHOULD provide the ability to
> > enable support for these types of wildcards within the host name in
> > the certificate. "
> 
> I think this needs to be "Implementations MUST support wildcards in
> certificates as specified above, but MAY provide a configuration
> option to disable them."

So we require an application to support certificates to identify the
remote peer, go great length to prevent anonymous peers ... and then we
introduce anon peers by allowing wildcards inside the certificate?
Well... if that's really our intension, I'll no longer object it. I just
wonder why we don't simply allow plain anon peers as was suggested by
others and me several times...

Rainer
> 
> Best regards,
> Pasi
> _______________________________________________
> Syslog mailing list
> Syslog at ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
_______________________________________________
Syslog mailing list
Syslog at ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Follow-Ups:
- Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls
  - From: Chris Lonvick
- Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls
  - From: Pasi.Eronen

References:
- [Syslog] Need your input on final issues on draft-ietf-syslog-transport-tls
  - From: Chris Lonvick
- Re: [Syslog] Need your input on final issues on draft-ietf-syslog-transport-tls
  - From: Martin Schütte
- Re: [Syslog] Need your input on final issueson draft-ietf-syslog-transport-tls
  - From: Joseph Salowey (jsalowey)
- Re: [Syslog] Need your input on finalissueson draft-ietf-syslog-transport-tls
  - From: Rainer Gerhards
- Re: [Syslog] Need your input on finalissueson draft-ietf-syslog-transport-tls
  - From: Joseph Salowey (jsalowey)
- Re: [Syslog] Need your input onfinalissueson draft-ietf-syslog-transport-tls
  - From: Pasi.Eronen

Prev by Date: Re: [Syslog] Need your input onfinalissueson draft-ietf-syslog-transport-tls
Next by Date: Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls
Previous by thread: Re: [Syslog] Need your input onfinalissueson draft-ietf-syslog-transport-tls
Next by thread: Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls
Index(es):
- Date
- Thread

Re: [Syslog] Need your inputonfinalissueson draft-ietf-syslog-transport-tls

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.