Re: [Syslog] Some revised text for syslog TLS
<Pasi.Eronen@nokia.com> Mon, 26 May 2008 13:06 UTC
Return-Path: <syslog-bounces@ietf.org>
X-Original-To: syslog-archive@megatron.ietf.org
Delivered-To: ietfarch-syslog-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A0C73A694B; Mon, 26 May 2008 06:06:24 -0700 (PDT)
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C8AE53A67D9 for <syslog@core3.amsl.com>; Mon, 26 May 2008 06:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.313
X-Spam-Level:
X-Spam-Status: No, score=-6.313 tagged_above=-999 required=5 tests=[AWL=0.286, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OE6oqr3VCzrg for <syslog@core3.amsl.com>; Mon, 26 May 2008 06:06:21 -0700 (PDT)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 694F13A67F2 for <syslog@ietf.org>; Mon, 26 May 2008 06:06:21 -0700 (PDT)
Received: from esebh107.NOE.Nokia.com (esebh107.ntc.nokia.com [172.21.143.143]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id m4QD6Bg9023045; Mon, 26 May 2008 16:06:19 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh107.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 16:06:09 +0300
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 May 2008 16:06:09 +0300
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 26 May 2008 16:06:08 +0300
Message-ID: <1696498986EFEC4D9153717DA325CB72B36AAC@vaebe104.NOE.Nokia.com>
In-Reply-To: <1211806792.27593.11.camel@localhost.localdomain>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Some revised text for syslog TLS
Thread-Index: Aci/MF7jy1NVEensQ7+a4dvkqdLN3wAAGezQ
References: <AC1CFD94F59A264488DC2BEC3E890DE505DFD90C@xmb-sjc-225.amer.cisco.com> <577465F99B41C842AAFBE9ED71E70ABA309093@grfint2.intern.adiscon.com> <1696498986EFEC4D9153717DA325CB72B36A0B@vaebe104.NOE.Nokia.com> <1211806792.27593.11.camel@localhost.localdomain>
From: Pasi.Eronen@nokia.com
To: rgerhards@hq.adiscon.com
X-OriginalArrivalTime: 26 May 2008 13:06:09.0243 (UTC) FILETIME=[43D58AB0:01C8BF31]
X-Nokia-AV: Clean
Cc: syslog@ietf.org
Subject: Re: [Syslog] Some revised text for syslog TLS
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: syslog-bounces@ietf.org
Errors-To: syslog-bounces@ietf.org
Rainer Gerhards wrote: > Please keep in mind that my message was related to the question if > there is a use case for using IPs inside a certificate. As I said > above, there is. Ok. Do you think this use case is important enough to keep this feature (checking IPAddress subjectAltName) as part of the "MUST implement" baseline? (Joe's latest text already has other forms of name comparison as optional: "Implementations MAY also support authorization based on other attributes. For example, the authorization of a device Serial Number against the SerialNumber portion of the Subject Distinguished Name [...]") > > To support such situation -- while still avoiding dependency on > > DNS -- it would be useful if you could configure the IP address > > (used for opening the connection) and server name (compared > > against the certificate, but not looked up from DNS) separately. > > > > I don't know what that would look like in your configuration file > > syntax, but maybe something like > > > > *.* @@192.0.2.1[syslogsrv2.example.com] > > rsyslog of course supports this. The actual syntax is: > > $ActionSendStreamDriverAuthMode x509/name # soon to be default > $ActionSendStreamDriverPermittedPeer syslogsrv2.example.com > *.* @@192.0.2.1 Ok, good to know. Best regards, Pasi _______________________________________________ Syslog mailing list Syslog@ietf.org https://www.ietf.org/mailman/listinfo/syslog
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- [Syslog] Some revised text for syslog TLS Joseph Salowey (jsalowey)
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Moehrke, John (GE Healthcare)
- Re: [Syslog] Some revised text for syslog TLS Anton Okmyanskiy (aokmians)
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS Rainer Gerhards
- Re: [Syslog] Some revised text for syslog TLS Pasi.Eronen
- Re: [Syslog] Some revised text for syslog TLS tom.petch
- Re: [Syslog] Some revised text for syslog TLS robert.horn
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte
- Re: [Syslog] Some revised text for syslog TLS Martin Schütte