Current status
Eric S. Raymond
esr at thyrsus.com
Thu Feb 14 16:45:29 UTC 2019
Hal Murray via devel <devel at ntpsec.org>:
> Are we interested in client certificates? If so, why?
>
> struct ntsconfig_t has:
> /* Configuration data for an NTS server or client instance */
> char *ca; /* site default */
> char *cert; /* site default */
>
> I assume that cert is the filename for the server's certificate chain. If so,
> the second "site default" is bogus.
OK, tell me what should go there. Or add it yourself. I don't understand TLS
very well yes; I was just trying to write data structures and config options
corresponding to what I saw i nts.adoc.
> We need a slot in there for the private key.
Add it.
> doc for ca says:
> Use the file (or directory) specified by _location_ to
> validate NTS-KE server certificates. This is a default
> for all client and server connections.
>
> OpenSSL has separate slots for root-cert dir and file. How should I tell
> which? Should we have separate config options?
>
> I think Fedora and Debian cat all the certs in a directory into a file and
> then use that for the default. Sounds like a speedup.
Your call on these. I'll supply the parser support for what you decide.
> There is a similar ca slot per server.
> char *ca; /* if NULL, use the site default (normal case) */
> Why? Are we really interested in per server root certs for certificate
> checking? If so, example please?
That was a response to mail I saw on devel. It may be wrong.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel
mailing list