Cert pinning

James Browning jamesb.fe80 at gmail.com
Mon Apr 1 00:20:06 UTC 2019


On Sun, Mar 31, 2019, 4:47 PM Richard Laager via devel <devel at ntpsec.org>
wrote:

> On 3/31/19 5:07 AM, Achim Gratz via devel wrote:
> > So yes, injecting the trust anchor(s) to use for a specific set of
> > NTS-KE would be the easier option.
>
> How about this:
>
> 1) Add a root=file (or dir?) option. This overrides the allowed roots
> for that association. Only the root(s) in that file are allowed for that
> association, regardless of what is normally on the system. So this can
> be used to restrict (sort of like pinning, but only for roots), but
> assuming we implement pinning, it would be mainly intended to allow a
> particular root that is not trusted generally.
>
> This option would allow Gary's scenario to validate, without needing to
> trust that root system-wide. He would presumably then eliminate "noval"
> from that configuration line.
>

According to the ntp.conf man page there already is a ca option
(unimplemented) for that. I did not remember seeing that detail earlier.

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190331/cb88e972/attachment-0001.html>


More information about the devel mailing list