> It might be common, but it's wrong. If you're using cert-based > authentication, reusing the same certificate is effectively defeating > the purpose. True, in some specific use cases it might be OK but a > decision to do so should be preceeded by risk analysis. In general - > using the same cryptographic material to mass-authenticate multiple > clients does not differ significantly from not authenticating them at all.
I basically agree. There seems to be a common use case, with vendor-provided monitoring devices where the customer has no real access. I've often seen this used in those settings. But: it's definitely not as secure as it (c|sh)ould be ;-) Just my 2cts Rainer _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
