Re: [Syslog] revised 5.2 text : please comment was: RE: Need your input on finalissuesondraft-ietf-syslog-transport-tls
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Syslog] revised 5.2 text : please comment was: RE: Need your input on finalissuesondraft-ietf-syslog-transport-tls

Looks good, but the text about wildcards in locally configured
names was lost.

Best regards,
Pasi

> -----Original Message-----
> From: syslog-bounces at ietf.org 
> [mailto:syslog-bounces at ietf.org] On Behalf Of ext Chris Lonvick
> Sent: 03 September, 2008 23:44
> To: Joseph Salowey (jsalowey)
> Cc: syslog
> Subject: [Syslog] revised 5.2 text : please comment was: RE: 
> Need your input on finalissuesondraft-ietf-syslog-transport-tls
> 
> Hi,
> 
> I'm going to take a stab at word smithing. I think there's still some 
> ambiguity in the section that Joe just proposed and we may be able to 
> resolve by putting in bullets.  Please look at this and give feedback.
> 
> ===
>     Implementations MUST support certification path 
> validation [RFC5280].
>     In addition they MUST support specifying the authorized 
> peers using
>     locally configured host names and matching the name against the
>     certificate as follows.
>       o Implementations MUST support matching the locally 
> configured host
>         name against a dNSName in the subjectAltName 
> extension field and
>         SHOULD support checking the name against the common 
> name portion of
>         the subject distinguished name.
>       o Implementations MAY support matching a locally configured IP
>         address against an iPAddress stored in the subjectAltName
>         extension.  In this case, the locally configured IP address is
>         converted to an octet string as specified in RFC 5280, Section
>         4.2.1.6.  A match occurs if this octet string is 
> equal to the value
>         of iPAddress in the subjectAltName extension.
>       o The '*' (ASCII 42) wildcard character is allowed in 
> the dNSName of
>         the subjectAltName extension (and in common name, if 
> used to store
>         the host name), and then only as the left-most (least 
> significant)
>         DNS label in that value.  This wildcard matches any 
> left-most DNS
>         label in the server name.  That is, the subject *.example.com
>         matches the server names a.example.com and 
> b.example.com, but does
>         not match example.com or a.b.example.com. Implementations MUST
>         support wildcards in certificates as specified above, but MAY
>         provide a configuration option to disable them.
>       o If the locally configured name is an internationalized domain
>         name, conforming implementations MUST convert it to the ASCII
>         Compatible Encoding (ACE) format as specified in 
> Section 7 of RFC
>         5280.
> 
> ===
> 
> Does this work for anyone?  :-)
> 
> Thanks,
> Chris
> _______________________________________________
> Syslog mailing list
> Syslog at ietf.org
> https://www.ietf.org/mailman/listinfo/syslog
> 
_______________________________________________
Syslog mailing list
Syslog at ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.