Cert pinning

Richard Laager rlaager at wiktel.com
Mon Apr 1 02:06:25 UTC 2019


On 3/31/19 8:58 PM, Gary E. Miller via devel wrote:
> Yo Richard!
> 
> On Sun, 31 Mar 2019 18:47:35 -0500
> Richard Laager via devel <devel at ntpsec.org> wrote:
> 
>> This option would allow Gary's scenario to validate, without needing
>> to trust that root system-wide. He would presumably then eliminate
>> "noval" from that configuration line.
> 
> Failing to match a root CA in the local cert is only one of many ways
> that a cert can fail to validate.  Before noval can be removed there
> must be a workaround for all of them.

I don't know how I can be more clear about this. I'm suggesting that
you, individually, would remove "noval" from one particular NTS
association once we have "root" or "ca" to fix validation in that
scenario. I am not suggesting the "noval" option be removed from ntpd.

-- 
Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190331/152126b1/attachment.bin>


More information about the devel mailing list