Cert pinning

Gary E. Miller gem at rellim.com
Mon Apr 1 02:23:25 UTC 2019

Yo Richard!

On Sun, 31 Mar 2019 21:06:25 -0500
Richard Laager via devel <devel at ntpsec.org> wrote:

> On 3/31/19 8:58 PM, Gary E. Miller via devel wrote:
> > Yo Richard!
> > 
> > On Sun, 31 Mar 2019 18:47:35 -0500
> > Richard Laager via devel <devel at ntpsec.org> wrote:
> >   
> >> This option would allow Gary's scenario to validate, without
> >> needing to trust that root system-wide. He would presumably then
> >> eliminate "noval" from that configuration line.  
> > 
> > Failing to match a root CA in the local cert is only one of many
> > ways that a cert can fail to validate.  Before noval can be removed
> > there must be a workaround for all of them.  
> I don't know how I can be more clear about this. I'm suggesting that
> you, individually, would remove "noval" from one particular NTS
> association once we have "root" or "ca" to fix validation in that
> scenario. I am not suggesting the "noval" option be removed from ntpd.

If wishes were dreams then beggars would ride.  We may, or may not, ever
have the "root" or "ca" options per server.  Personally, I find them
more confusing than helpful.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190331/9a92d25b/attachment.bin>

More information about the devel mailing list