NTS: removed "not implemented" on server ca

Gary E. Miller gem at rellim.com
Wed Apr 3 18:42:09 UTC 2019

Yo Achim!

On Wed, 03 Apr 2019 20:23:37 +0200
Achim Gratz via devel <devel at ntpsec.org> wrote:

> Gary E. Miller via devel writes:
> >> I think openssl is expecting the root cert.  
> OpenSSL expects a PKI directory (in which each cert has to have a
> certain filename so it doesn't have to read all files each time) or a
> bundle file with all the certs concatenated.

Not so much what OpenSSL expects as what Hal coded.

> > And in the case of ostfalia, I only could get their root cert
> > becuase I was talking to the guy.  Much more common case is I just
> > have the end cert.  
> If you can't get the root cert, you cannot validate anything that has
> this root as the trust anchor.

And yet, yesterday I was able to use git head to validate using just
a Let's Encrypt chain file.  So, yes, you need a root file to validate
against a root file, but you can validate against intermediate files
too.  This is a good thing.

>  A root cert is nothing but a normal
> cert that is signed by the same public key that it certifies (plus
> some metadata around it).  It's a "root" cert because there is no
> further way of verifying it.

Sure, if you ignore OSCP, revocation lists, pinning, etc.  But not
really important to NTS.  An NTS uses should be able to validate as
he wishes.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190403/91672b2c/attachment.bin>

More information about the devel mailing list