Wildcards on cert host checking
James Browning
jamesb.fe80 at gmail.com
Wed Feb 13 23:12:24 UTC 2019
On 2/13/19, Gary E. Miller via devel <devel at ntpsec.org> wrote:
> Yo James!
>
> On Wed, 13 Feb 2019 14:36:38 -0800
> James Browning via devel <devel at ntpsec.org> wrote:
>
>> On Wed, Feb 13, 2019, 2:30 PM Hal Murray via devel <devel at ntpsec.org
>> wrote:
>>
>> > Amy reason to allow or prohibit them?
>> >
>>
>> I think allowing them would simplify the pool case I proposed a while
>> back, but it is less likely to be a problem due to letsencrypt.
>
> So you are assuming Hal is asking about cert names of *.example.org.
>
> How would this be used in a public pool? How would one issue a cert
> for *.pool.example.org to be used on any old host anywhere. That would
> require the pool to also run matching frward DNS for each server in the
> pool.
I wrote a proposal for how to handle an NTS enabled pool (including
something on how not to share K), back in "The key-manahement argument"
https://lists.ntpsec.org/pipermail/devel/2019-January/007105.html
I was thinking (probably wrongly) that extra domains could be split and
used as limiters on which servers are returned. for example, I might want
NTPsec tolerating (not that I believe we would abuse them), high stratum
servers in North America. I seem to remember this was before much of
anything was implemented so meh.
More information about the devel
mailing list