Current status

Eric S. Raymond esr at thyrsus.com
Thu Feb 14 16:45:29 UTC 2019


Hal Murray via devel <devel at ntpsec.org>:
> Are we interested in client certificates?  If so, why?
> 
> struct ntsconfig_t has:
> /* Configuration data for an NTS server or client instance */
>     char *ca;                   /* site default */
>     char *cert;                 /* site default */
> 
> I assume that cert is the filename for the server's certificate chain.  If so, 
> the second "site default" is bogus.

OK, tell me what should go there.  Or add it yourself.  I don't understand TLS
very well yes; I was just trying to write data structures and config options
corresponding to what I saw i nts.adoc.

> We need a slot in there for the private key.

Add it.

> doc for ca says:
>   Use the file (or directory) specified by _location_ to
>   validate NTS-KE server certificates. This is a default
>   for all client and server connections.
> 
> OpenSSL has separate slots for root-cert dir and file.  How should I tell 
> which?  Should we have separate config options?
>
> I think Fedora and Debian cat all the certs in a directory into a file and 
> then use that for the default.  Sounds like a speedup.

Your call on these.  I'll supply the parser support for what you decide.

> There is a similar ca slot per server.
>     char *ca;           /* if NULL, use the site default (normal case) */
> Why?  Are we really interested in per server root certs for certificate 
> checking?  If so, example please?

That was a response to mail I saw on devel. It may be wrong.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.




More information about the devel mailing list