Cert pinning
Gary E. Miller
gem at rellim.com
Mon Apr 1 01:58:45 UTC 2019
Yo Richard!
On Sun, 31 Mar 2019 18:47:35 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:
> This option would allow Gary's scenario to validate, without needing
> to trust that root system-wide. He would presumably then eliminate
> "noval" from that configuration line.
Failing to match a root CA in the local cert is only one of many ways
that a cert can fail to validate. Before noval can be removed there
must be a workaround for all of them. There are also checks for
validity dates, certificate revocation, hostname matching, etc.
> 2) If we want more, implement some form of pinning. As the intention
> of pinning is to further restrict the trust anchors, this would be in
> addition to normal validation, not instead of it.
Why? Many other protocols use pinning sometimes to suplement a
cert chain, sometimes in addition to it. No reason not to support
both options.
> The pinning options
> would be mutually exclusive of "noval" to keep the implementation
> straightforward and to help prevent people from shooting themselves in
> the foot.
We should be so lucky...
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190331/3ee764f5/attachment.bin>
More information about the devel
mailing list